Enabling data encryption

Virtuozzo Hybrid Infrastructure can encrypt data stored on disks by using the AES-256 standard, so if a disk gets lost or stolen the data will be safe. Virtuozzo Hybrid Infrastructure stores disk encryption keys in cluster’s metadata (MDS).

Encryption can be enabled or disabled only for the newly created chunk services (CS). Once tier encryption is enabled, you can decrypt disks (CSs) by manually releasing them from encrypted tiers. Correspondingly, simply enabling encryption on the disk’s tier will not encrypt its data (CS). To encrypt a disk, you must assign it to an encrypted tier.

Limitations

  • Virtuozzo Hybrid Infrastructure does not encrypt data transmitted over the internal network.
  • Enabled encryption slightly decreases performance.

To enable tier encryption

Admin panel

  1. Go to Settings > System settings > Storage encryption.
  2. Turn on the toggle switch Enable AES-256 encryption for data stored on disks.
  3. Select the tiers that you want to encrypt, and then click Save.

Command-line interface

Use the following command:

vinfra cluster settings encryption set [--tier-enable {0,1,2,3}] [--tier-disable {0,1,2,3}]
--tier-enable {0,1,2,3}
Enable encryption for storage tiers. This option can be used multiple times.
--tier-disable {0,1,2,3}
Disable encryption for storage tiers. This option can be used multiple times.

For example, to enable encryption for the storage tier 2, run:

# vinfra cluster settings encryption set --tier-enable 2

You can view the encryption status of each storage tier in the vinfra cluster settings encryption show output:

# vinfra cluster settings encryption show
+-------+-------+
| Field | Value |
+-------+-------+
| tier0 | False |
| tier1 | False |
| tier2 | True  |
| tier3 | False |
+-------+-------+