Disk encryption (Limited availability)

Disk encryption ensures that your data stored on compute instances is secured. Disk encryption protects against unauthorized data access by keeping the data encrypted if the disk is ever removed from the datacenter, decommissioned, or disposed of. The platform manages the encryption and decryption for you.

By default, disk encryption is enabled on all compute instances.

How disk encryption works with different services and features

Service or FeatureDisk Encryption Behavior
Backups: automatic full file-based snapshot of your disks taken during your preferred scheduled time slot while the compute instance is still running.Attention: Backups are not encrypted even when they are taken from an encrypted disk.
When a backup is restored, and if encryption is enabled, the data stored on the disk is encrypted again.
Images: allows you to store custom disk images in the Cloud. These images can be preconfigured with the exact software and settings and can be deployed to new or existing compute instances.Attention: Images are not encrypted even when they are taken from an encrypted disk.
When an image is deployed, and if encryption is enabled, the data stored on the disk is encrypted again.
Clone: allows duplication of a compute instance to a new or existing instance.
  • Data on encrypted disks remain encrypted.
  • Data on unencrypted disks remain unencrypted.
  • Create: Compute Instances equipped with a tailored set of resources designed to run any cloud-based workload.Disk encryption is enabled by default if it's available in a region. You can change the disk encryption setting (Encrypt Disk) if the compute instance is not part of a LKE node pool.
    After a compute instance is created, changing the Encrypt Disk setting requires a Rebuild.
    Migration: moves your compute instance to another data center.During migration, a new disk is created on the destination host. Decrypted bits are copied over from the source to the destination. The new disk is encrypted if the destination host has disk encryption enabled.
    Rebuild: start over with a fresh Linux distribution or use a backup.You can change the Encrypt Disk setting by performing a Rebuild. During a Rebuild, the previous encryption setting is used unless it's changed.
    The Encrypt Disk setting for compute instances attached to an LKE node pool can not be changed.
    Rescue: boot your compute instance into Rescue Mode to perform system recovery tasks and transfer data off the disks when you suspect a corrupt file system.When a rescue image is deployed, and if encryption is enabled, the data stored on the disk is encrypted again.
    Resize: changing a compute instances plan to resize your instance.
  • Data on encrypted disks remain encrypted.
  • Data on unencrypted disks remain unencrypted.
  • Considerations

    • Disk encryption is currently not available in all regions. Select another region to use disk encryption or enable encryption when it does become available using Rebuild.

    • After a compute instance is created, changing the Encrypt Disk setting requires a Rebuild.

    • Disk encryption is enabled by default for Compute Instances in distributed regions, and cannot be disabled.

    • New LKE clusters are encrypted if disk encryption is supported in the region. This disk encryption setting can not be changed.

    • If the compute instance is part of a LKE node pool, you cannot change the disk encryption setting. If a node pool is not encrypted and you want an encrypted node pool, delete the node pool and create a new node pool. New node pools are always encrypted.

    • Encryption in general, can increase CPU overhead and decrease realized throughput.

      • For performance-sensitive workloads on compute instances that are not part of an LKE node pool, you can opt-out of disk encryption or disable Encrypt Disk by performing a Rebuild.
      • For performance-sensitive workloads on compute instances that are part of a LKE node pool, you can create additional node pools to spread out the workloads if required.

    Check if disk encryption is enabled on a compute instance

    1. Log into Cloud Manager and click the Linodes link in the sidebar.

    2. Click on a Compute Instance from the list to view more details.

    3. Within the top Summary section, you can view if the compute instance is Encrypted or Not Encrypted.

      Screenshot of the Compute Instances in the Cloud Manager with and without encryption

    Check if disk encryption is enabled on a cluster's node pools

    1. Log into Cloud Manager, click Kubernetes in the left menu, and select the cluster you wish to view.

    2. Scroll down to the Node Pools section. This lists all node pools for your cluster and their encryption status.

      Screenshot of the Node Pools section of a cluster in the Cloud Manager with encryption

    📘

    Encrypting a node pool

    If a node pool is not encrypted and you want an encrypted node pool, delete the node pool and create a new node pool. New node pools are always encrypted.