Enabling and disabling data-in-transit encryption
Prerequisites
- Ensure that an infrastructure network and network switches are configured to use jumbo frames (MTU 9000). Otherwise, enabling data-in-transit encryption will significantly decrease the cluster performance.
- If you want to encrypt an infrastructure network with the Storage traffic type, ensure that IPv6 traffic and IPv6 multicast addresses are allowed on your network equipment.
- If you want to encrypt an infrastructure network with the VM private traffic type, keep in mind that the encryption increases the default MTU overhead for virtual networks from 50 to 87 bytes. If you have virtual networks created in version 5.2 or earlier, or virtual networks with a custom MTU setting, you need to manually adjust the MTU of virtual machines connected to such virtual networks before enabling the encryption.
- If you want to encrypt an infrastructure network with the VM backups traffic type, note that the encryption may break agentless backup integration. To avoid this, reassign the VM backups traffic type to an unencrypted network.
To enable data-in-transit encryption
Admin panel
- On the Infrastructure > Networks screen, click the cogwheel icon next to the network name.
- In the network summary window, click Enable encryption.
- In the Enable encryption window, review the important information about the encryption requirements, and click Enable.
- Wait until the operation is finished. You cannot manage infrastructure networks while the operation is in progress.
Command-line interface
Use the following command:
vinfra cluster network encryption enable [--no-switch-storage-ipv6] <network1> [<network2> ...]
--no-switch-storage-ipv6- Do not switch chunk services to IPv6 addresses
<network>- Network ID or name
For example, to enable data-in-transit encryption for the Private network, run:
# vinfra cluster network encryption enable Private
To check the encryption status of your networks, use the vinfra cluster network encryption status command:
# vinfra cluster network encryption status +--------------------------------------+---------+----------+---------------------------------------+ | id | name | status | subnets | +--------------------------------------+---------+----------+---------------------------------------+ | fa0d118e-2ec5-43e5-8813-41ab95d7f1f1 | Private | enabled | - enabled 192.168.128.0/24 | | | | | - enabled fd48:e4ee:f220:2808::/64 | | 178f54ac-7040-40db-95cb-099cc3e8394e | Public | disabled | - disabled 10.136.16.0/20 | +--------------------------------------+---------+----------+---------------------------------------+
To disable data-in-transit encryption
Admin panel
- On the Infrastructure > Networks screen, click the cogwheel icon next to the network name.
- In the network summary window, click Disable encryption.
- In the confirmation window, click Disable.
- Wait until the operation is finished. You cannot manage infrastructure networks while the operation is in progress.
Command-line interface
Use the following command:
vinfra cluster network encryption disable <network1> [<network2> ...]
<network>- Network ID or name
For example, to disable data-in-transit encryption for the Private network, run:
# vinfra cluster network encryption disable Private
To check the encryption status of your networks, use the vinfra cluster network encryption status command:
+--------------------------------------+---------+----------+---------------------------------------+ | id | name | status | subnets | +--------------------------------------+---------+----------+---------------------------------------+ | fa0d118e-2ec5-43e5-8813-41ab95d7f1f1 | Private | disabled | - disabled 192.168.128.0/24 | | | | | - disabled fd48:e4ee:f220:2808::/64 | | 178f54ac-7040-40db-95cb-099cc3e8394e | Public | disabled | - disabled 10.136.16.0/20 | +--------------------------------------+---------+----------+---------------------------------------+
See also