VSP One SDS Block provides two data encryption methods as follows:
-
Microsoft Azure managed disk encryption
-
Data at rest encryption with the storage software (VSP One SDS Block)
Microsoft Azure managed disk encryption and Data at rest encryption with the storage software (VSP One SDS Block) can be used concurrently.
Microsoft Azure managed disk encryption
VSP One SDS Block uses host encryption (Encryption at host) for Microsoft Azure managed disk encryption. This encrypts both the system drive and user data drive on the storage nodes. Microsoft Azure managed disk encryption is enabled by default.
The following two methods are available for applying managed disk encryption.
-
Default encryption that uses platform-managed keys
-
Encryption by using customer-managed keys and specifying a disk encryption set at the time of VSP One SDS Block installation
Microsoft Azure managed disk encryption settings cannot be changed after a storage cluster is set up. However, you can change the setting to enable or disable key rotation for a disk encryption set. For details about Microsoft Azure managed disk encryption, see the following website.
https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
Data at rest encryption with the storage software (VSP One SDS Block)
Data at rest encryption with the storage software (VSP One SDS Block) encrypts user data by using the software within the storage system. Data at rest encryption is disabled by default. For details about Data at rest encryption, see Using Data at rest encryption in the VSP One SDS Block and SDS Cloud System Administration.