Enabling and disabling data-in-transit encryption

Prerequisites

  • Ensure that an infrastructure network and network switches are configured to use jumbo frames (MTU 9000). Otherwise, enabling data-in-transit encryption will significantly decrease the cluster performance.
  • If you want to encrypt an infrastructure network with the Storage traffic type, ensure that IPv6 traffic and IPv6 multicast addresses are allowed on your network equipment.
  • If you want to encrypt an infrastructure network with the VM private traffic type, keep in mind that the encryption increases the default MTU overhead for virtual networks from 50 to 87 bytes. If you have virtual networks created in version 5.2 or earlier, or virtual networks with a custom MTU setting, you need to manually adjust the MTU of virtual machines connected to such virtual networks before enabling the encryption.
  • If you want to encrypt an infrastructure network with the VM backups traffic type, note that the encryption may break agentless backup integration. To avoid this, reassign the VM backups traffic type to an unencrypted network.

To enable data-in-transit encryption

Admin panel

  1. On the Infrastructure > Networks screen, click the cogwheel icon next to the network name.
  2. In the network summary window, click Enable encryption.
  3. In the Enable encryption window, review the important information about the encryption requirements, and click Enable.
  4. Wait until the operation is finished. You cannot manage infrastructure networks while the operation is in progress.

Command-line interface

Use the following command:

vinfra cluster network encryption enable [--no-switch-storage-ipv6] <network1> [<network2> ...]
--no-switch-storage-ipv6
Do not switch chunk services to IPv6 addresses
<network>
Network ID or name

For example, to enable data-in-transit encryption for the Private network, run:

# vinfra cluster network encryption enable Private

To check the encryption status of your networks, use the vinfra cluster network encryption status command:

# vinfra cluster network encryption status
+--------------------------------------+---------+----------+---------------------------------------+
| id                                   | name    | status   | subnets                               |
+--------------------------------------+---------+----------+---------------------------------------+
| fa0d118e-2ec5-43e5-8813-41ab95d7f1f1 | Private | enabled  | - enabled    192.168.128.0/24         |
|                                      |         |          | - enabled    fd48:e4ee:f220:2808::/64 |
| 178f54ac-7040-40db-95cb-099cc3e8394e | Public  | disabled | - disabled   10.136.16.0/20           |
+--------------------------------------+---------+----------+---------------------------------------+

To disable data-in-transit encryption

Admin panel

  1. On the Infrastructure > Networks screen, click the cogwheel icon next to the network name.
  2. In the network summary window, click Disable encryption.
  3. In the confirmation window, click Disable.
  4. Wait until the operation is finished. You cannot manage infrastructure networks while the operation is in progress.

Command-line interface

Use the following command:

vinfra cluster network encryption disable <network1> [<network2> ...]
<network>
Network ID or name

For example, to disable data-in-transit encryption for the Private network, run:

# vinfra cluster network encryption disable Private

To check the encryption status of your networks, use the vinfra cluster network encryption status command:

+--------------------------------------+---------+----------+---------------------------------------+
| id                                   | name    | status   | subnets                               |
+--------------------------------------+---------+----------+---------------------------------------+
| fa0d118e-2ec5-43e5-8813-41ab95d7f1f1 | Private | disabled | - disabled   192.168.128.0/24         |
|                                      |         |          | - disabled   fd48:e4ee:f220:2808::/64 |
| 178f54ac-7040-40db-95cb-099cc3e8394e | Public  | disabled | - disabled   10.136.16.0/20           |
+--------------------------------------+---------+----------+---------------------------------------+