Volume Encryption (Limited availability)
Full disk encryption ensures that the data stored on a block volume drive is secure. It protects against unauthorized access by keeping the data encrypted if the volume drive is removed from the data center, decommissioned, or disposed of.
The platform automatically manages the encryption and decryption process for you. An encrypted volume can be used in the same way that a non-encrypted volume is used today.
You can enable or disable disk encryption only when creating new block volumes. After a volume is created, the encryption setting cannot be changed. By default, volume disk encryption is disabled.
Local disk encryption and block volume encryption
It's possible that the local disks for a Compute Instance are encrypted but the block storage volumes attached to them are not. You can also have encrypted volumes attached to unencrypted Compute Instances.
How encryption works on Block Storage Volumes
Feature | Volume Encryption Behavior |
---|---|
Create volume: Adds a volume which can be attached to Compute Instances. | Volume encryption is disabled by default. After a volume is created, you can't change this setting. |
Clone a volume: Copies all of the data in a Block Storage volume to a new volume using the API. | Key Rotating , the option to Clone a volume is disabled. |
Resize a volume: Increases the size of a volume through the API. It is not possible to reduce the size of a volume. | Key Rotating , the option to Resize a volume is disabled. |
Transfer Block Storage data to a different data center | During the Block Storage data transfer, decrypted data from the source volume is copied over to the destination volume. The destination volume can have encryption enabled or disabled. |
Transfer Block Storage data to another Compute Instance: Moves a Block Storage volume to a different Compute Instance within the same data center. | If a volume is encrypted, migrating the volume within the same region (data center) is supported in most cases. |
Availability
Volume encryption is currently not available in all regions. Select another region if you want encrypted volumes.
Considerations
- After a volume is created, its encryption setting cannot be changed.
- Using Volume disk encryption with other encryption methods on the same data can reduce Input/Output Operations Per Second (IOPS) and is generally not supported. Using only one encryption method is recommended.
- Encryption in general, increases CPU and can decrease realized throughput and volume IOPS. For performance-sensitive workloads, you can:
- keep volume disk encryption disabled.
- increase volume sizes to improve performance.
How to check if a volume is encrypted
Log into Cloud Manager and click the Volumes link in the sidebar.
How to check if an attached volume is encrypted
- Log into Cloud Manager, click Linodes in the left menu.
- Click on a Compute Instance from the list to view more details.
- Navigate to and select the Storage tab.
Updated about 1 month ago