VSP One SDS Block supports Amazon EBS encryption. Enabling EBS encryption encrypts data for both the system drive and user data drive of storage nodes.
For details about Amazon EBS encryption, see the AWS user guide.
To set and use EBS encryption, the following two methods are available.
- Encryption by default
- EBS encryption by defining CloudFormation parameters
Carefully read the following when setting EBS encryption.
- EBS encryption can be enabled by performing either of the preceding methods.
- If you perform both methods to enable EBS encryption, EBS encryption settings by defining CloudFormation parameters takes priority for the KMS key used for EBS encryption.
- If you set encryption by default, encryption is enabled for all the EBSs created in the AWS region.
- For encryption by default, you need to set EBS encryption before setting up a storage cluster.
- If you
set EBS encryption by defining CloudFormation parameters, the EBS encryption
settings cannot be changed once a storage cluster is set
up.
However, it is possible to change the setting to enable or disable key rotation.
- For EBS encryption by defining CloudFormation parameters, if you set up a storage cluster with EBS encryption disabled, the settings of encryption by default are reflected in the EBSs created at the time of storage cluster maintenance operation. Accordingly, do not change the encryption settings by default while a storage cluster is running.