Volume Encryption (Limited availability)

Full disk encryption ensures that the data stored on a block volume drive is secure. It protects against unauthorized access by keeping the data encrypted if the volume drive is removed from the data center, decommissioned, or disposed of.

The platform automatically manages the encryption and decryption process for you. An encrypted volume can be used in the same way that a non-encrypted volume is used today.

You can enable or disable disk encryption only when creating new block volumes. After a volume is created, the encryption setting cannot be changed. By default, volume disk encryption is disabled.

📘

Local disk encryption and block volume encryption

It's possible that the local disks for a Compute Instance are encrypted but the block storage volumes attached to them are not. You can also have encrypted volumes attached to unencrypted Compute Instances.

How encryption works on Block Storage Volumes

FeatureVolume Encryption Behavior
Create volume: Adds a volume which can be attached to Compute Instances.Volume encryption is disabled by default. After a volume is created, you can't change this setting.
Clone a volume: Copies all of the data in a Block Storage volume to a new volume using the API.
  • If a volume is cloned from an encrypted volume, the cloned volume is also encrypted.
  • If a volume is cloned from an unencrypted volume, the cloned volume is also unencrypted.
  • When the status of a volume is Key Rotating, the option to Clone a volume is disabled.
  • Resize a volume: Increases the size of a volume through the API. It is not possible to reduce the size of a volume.
  • If an encrypted volume is resized, it remains encrypted.
  • If an unencrypted volume is resized, it remains unencrypted.
  • When the status of a volume is Key Rotating, the option to Resize a volume is disabled.
  • Transfer Block Storage data to a different data centerDuring the Block Storage data transfer, decrypted data from the source volume is copied over to the destination volume. The destination volume can have encryption enabled or disabled.
    Transfer Block Storage data to another Compute Instance: Moves a Block Storage volume to a different Compute Instance within the same data center.If a volume is encrypted, migrating the volume within the same region (data center) is supported in most cases.

    Availability

    Volume encryption is currently not available in all regions. Select another region if you want encrypted volumes.

    Considerations

    • After a volume is created, its encryption setting cannot be changed.
    • Using Volume disk encryption with other encryption methods on the same data can reduce Input/Output Operations Per Second (IOPS) and is generally not supported. Using only one encryption method is recommended.
    • Encryption in general, increases CPU and can decrease realized throughput and volume IOPS. For performance-sensitive workloads, you can:
      • keep volume disk encryption disabled.
      • increase volume sizes to improve performance.

    How to check if a volume is encrypted

    Log into Cloud Manager and click the Volumes link in the sidebar.

    Volume Encryption Setting

    How to check if an attached volume is encrypted

    1. Log into Cloud Manager, click Linodes in the left menu.
    2. Click on a Compute Instance from the list to view more details.
    3. Navigate to and select the Storage tab.

    Attached Volume Encryption Status