Amazon EBS encryption function

Virtual Storage Platform One SDS Block Cloud Setup and Configuration Guide

Version
1.14.x
Audience
anonymous
Part Number
MK-24VSP1SDS008-01

VSP One SDS Block supports Amazon EBS encryption. Enabling EBS encryption encrypts data for both the system drive and user data drive of storage nodes.

For details about Amazon EBS encryption, see the AWS user guide.

To set and use EBS encryption, the following two methods are available.

  • Encryption by default
  • EBS encryption by defining CloudFormation parameters

Carefully read the following when setting EBS encryption.

  • EBS encryption can be enabled by performing either of the preceding methods.
  • If you perform both methods to enable EBS encryption, EBS encryption settings by defining CloudFormation parameters takes priority for the KMS key used for EBS encryption.
  • If you set encryption by default, encryption is enabled for all the EBSs created in the AWS region.
  • For encryption by default, you need to set EBS encryption before setting up a storage cluster.
  • If you set EBS encryption by defining CloudFormation parameters, the EBS encryption settings cannot be changed once a storage cluster is set up.

    However, it is possible to change the setting to enable or disable key rotation.

  • For EBS encryption by defining CloudFormation parameters, if you set up a storage cluster with EBS encryption disabled, the settings of encryption by default are reflected in the EBSs created at the time of storage cluster maintenance operation. Accordingly, do not change the encryption settings by default while a storage cluster is running.