Encryption

To enable encryption for a virtual disk, the source disks must be on a machine with Windows Server 2016 or later. All snapshots of an encrypted virtual disk will be encrypted as well. Pools with encrypted data cannot be used in previous versions of the software. All client data may be lost if an encrypted pool is imported on an older version of the software, prior to the introduction of encryption for virtual disks.

When a user first encrypts a virtual disk in a pool, an encryption key is created. This key is required to access the encrypted data in the pool. This key is preserved in the key repository on the local machine.

The key also needs to be preserved in a secure location in case the machine is destroyed, so that the data in the pool can be restored on a different/reconstructed machine. To preserve the key, use the Data-at-Rest Pool Key tool (DcsPoolKeyCli) installed with SANsymphony to export the key for each pool. This will generate a bin file for each pool to be saved in a secure location. The bin file can be imported using the tool to grant access to the data from a different server in case the original is destroyed. For details on the Data-at-Rest Pool Key tool and support commands, see Data-at-Rest Pool Key Tool.