VSP One SDS Block provides two data encryption methods as follows:
-
Google Cloud disk encryption
-
Data at rest encryption with the storage software (VSP One SDS Block)
Google Cloud disk encryption and Data at rest encryption with the storage software (VSP One SDS Block) can be used concurrently.
Google Cloud disk encryption
Google Cloud disk encryption encrypts both the system drives and user data drives of storage nodes. Google Cloud disk encryption is enabled by default.
The following two methods are available for applying disk encryption.
-
Default encryption with Google
-
Encryption by user creation of a customer-managed encryption key (CMEK) prior to specifying the CMEK at the time of VSP One SDS Block installation
Google Cloud disk encryption settings cannot be changed after a storage cluster is set up. However, you can change the setting to enable or disable key rotation.
To create a CMEK, assign the "Cloud KMS Admin" role to the account.
To use a CMEK, assign necessary roles to the account named "Compute Engine Service Agent."
For details about necessary roles and procedures for assigning the roles, see the following website:
https://cloud.google.com/compute/docs/disks/customer-managed-encryption#required-roles
For details about Google Cloud disk encryption, see the Google Cloud documentation.
Data at rest encryption with the storage software (VSP One SDS Block)
Data at rest encryption with the storage software (VSP One SDS Block) encrypts user data by using the software within the storage system. Data at rest encryption is disabled by default. For details about Data at rest encryption, see Using Data at rest encryption in the VSP One SDS Block and SDS Cloud System Administration.