Encryption

To enable encryption for a virtual disk, the source disks must be on a machine with Windows Server 2016 or later. All snapshots of an encrypted virtual disk will be encrypted as well. Pools with encrypted data cannot be used in previous versions of the software. All client data may be lost if an encrypted pool is imported on an older version of the software, prior to the introduction of encryption for virtual disks.

When a virtual disk in a pool is initially encrypted, an encryption key is created. This key is required to access the encrypted data in the pool. The key displays as an overlay on the pool and indicates that an encryption key is present at the pool.

This key is preserved in the key repository on the local machine.

The key also needs to be preserved in a secure location in case the machine is destroyed, so that the data in the pool can be restored on a different/reconstructed machine. To preserve the key, use the Data-at-Rest Pool Key tool (DcsPoolKeyCli) installed with DataCore SANsymphony to export the key for each pool. For details on the Data-at-Rest Pool Key tool and support commands, see Data-at-Rest Pool Key Tool.

Enabling Encryption

Enabling Encryption for a New Virtual Disk

To enable encryption during the creation of a new virtual disk, select the Encrypted check box in step 1 of the wizard, Set Virtual Disk Properties.

For details on the overall process of creating a new virtual disk, see Creating Virtual Disks.

Enabling Encryption for an Existing Virtual Disk

Encryption can be enabled at the individual virtual disk level or for an entire virtual disk group in the DataCore Management Console and using DataCore Cmdlets as well.

From the Virtual Disks List

In the VIrtual Disks list, right-click the virtual disk or virtual disk group you want to enable encryption for and select Encryption > Enable from the shortcut menu.

From the Virtual Disk Details Page

  1. In DataCore Servers panel or Hosts Panel, expand Virtual Disks and click the virtual disk to open the details page. Alternatively, double-click a virtual disk in the Virtual Disks list.
  2. Click the Settings tab.
  3. Select the Encrypted check box.

  4. Click Apply.

Enabling Encryption in PowerShell

Set the EncryptionEnabled parameter of Set-DcsVirtualDiskProperties to 1.

For full details on this cmdlet, refer to the DataCore Cmdlet Reference Guide.

Disabling Encryption

Encryption can be disabled at the individual disk level or for an entire virtual disk group in the DataCore Management Console and using DataCore Cmdlets as well.

After all the encrypted virtual disks are removed/changed to an unencrypted state, there is a delay of 30 seconds before the disk pool state changes from encrypted to unencrypted. On disabling the encryption, the encryption key is removed from the pool and deleted from the system. Foreign pool import does not require an encryption key once the diskpool is unencrypted.

From the Virtual Disks List

Right-click the virtual disk or virtual disk group you want to disable encryption for and select Encryption > Disable from the shortcut menu.

From the Virtual Disk Details Page

  1. In DataCore Servers panel or Hosts Panel, expand Virtual Disks and click the virtual disk to open the details page. Alternatively, double-click a virtual disk in the Virtual Disks list.
  2. Click the Settings tab.
  3. Clear the Encrypted check box.

  4. Click Apply.

Disabling Encryption in PowerShell

Set the EncryptionEnabled parameter of Set-DcsVirtualDiskProperties to 0.

For full details on this cmdlet, refer to the DataCore Cmdlet Reference Guide.