Note
Encryption can be enabled at installation with the VAST Web UI Install utility with either internal key management or with EKM. After installation, EKM encryption cannot be enabled.
Limitations
Enabling encryption on a running cluster (after installation) is supported with the following limitation:
It is only possible to enable encryption with internally managed keys. Encryption with externally managed keys can only be enabled at installation.
Impact of Enablement on a Running Cluster
Enabling encryption during cluster operation triggers a rewrite of all the data and name blocks to ensure that all pre-existing data and name blocks on the cluster are encrypted.
The following are important points to note about the rewrite:
All data is typically rewritten during this rewrite and therefore the impact on storage media endurance is approximately similar to that of deleting all data on the cluster and writing it.
The rewrite proceeds as a background task that cannot be paused or stopped. In case of severe performance degradation, it may be possible for VAST Support to throttle the process and reduce the performance impact.
The rewrite may take a while, and may impact performance for workloads.
If expansions are planned, they should be done prior to enabling encryption so that the rewrite will utilize as many DBoxes as possible and minimize RAID overhead.
A combined option is available for enabling DBox High Availability and encryption simultaneously (detailed in the procedures below). If DBox HA is not yet enabled on the cluster and you intend to enable DBox HA, you should choose the combined option to avoid triggering a rewrite twice, when you enable each feature.
DBox expansion is not available while the rewrite is in progress.
Enabling Encryption from the VAST Web UI
In the VAST Web UI, open the Cluster tab of the Settings page. You can reach this by searching at the top left or from navigation menu on the left of the page.
In the Data Management section, click Enable only Encryption or Enable Encryption and DBox HA if you also plan to enable DBox High Availability.
A confirmation prompt is displayed:
These changes require rewrite and cannot be undone. Rewrite may impact workloads while it is in progress. Stopping rewrite requires support intervention. DBox expansion will not be available during rewrite. Are you sure you want to proceed?
Click Yes if you are sure you would like to proceed.
The rewrite begins and a progress bar appears at the top right of the page, reporting the current phase of the rewrite as it progresses and the percentage progress.
When the rewrite is complete, the now inactive Enable only Encryption and Enable Encryption and DBox HA buttons, as well as the Enable only DBox HA button if you chose to enable DBox HA as well as encryption, are all disabled. The tooltip for the info icon next to the buttons changes to report that DBox HA and/or encryption is/are enabled.
Enabling Encryption from the VAST CLI
Run the cluster modify command with the
--enable-encryptionoption, or, if you wish to enable DBox High Availability at the same time, run the commandcluster modify --enable-encryption --enable-dbox-ha:Note
Enabling both options at the same time reduces impact on drives and can reduce impact on workloads.
For encryption without DBox HA:
vcli: admin> cluster modify --enable-encryption
For encryption with DBox HA:
vcli: admin> cluster modify --enable-encryption --enable-dbox-ha
You are warned:
Enabling Encryption/DBox HA support triggers a required rewrite of current data. Are you sure you want to proceed? [y/N]
Enter 'y' to confirm that you want to proceed.
The rewrite begins.
You can now monitor the progress of the rewrite. Enter the command
cluster show. The command output includes the following fields:Rewrite-phase. During the rewrite, one of the main phases appears here. The order of the phases is:INTERNAL_PRE_REWRITEDATA_REWRITE_PREDATA_REWRITE_SCRUBDATA_REWRITELAYOUT_REWRITE_PRELAYOUT_REWRITEFINALIZE
Rewrite-progress. This shows the percentage progress of the current phase of the rewrite. When it reaches 100% of the final phase, the rewrite is complete.Encryption (and DBox HA capability if applicable) is now fully enabled.