Encryption
To enable encryption for a virtual disk, the source disks must be on a machine with Windows Server 2016 or later. All snapshots of an encrypted virtual disk will be encrypted as well. Pools with encrypted data cannot be used in previous versions of the software. All client data may be lost if an encrypted pool is imported on an older version of the software, prior to the introduction of encryption for virtual disks.
Encryption Key
When a virtual disk in a pool is initially encrypted, an encryption key is created. This key is required to access the encrypted data in the pool. The key displays as an overlay on the pool and indicates that an encryption key is present at the pool.
This key is preserved in the key repository on the local machine.
The key also needs to be preserved in a secure location in case the machine is destroyed, so that the data in the pool can be restored on a different/reconstructed machine. To preserve the key, use the Data-at-Rest Pool Key tool (DcsPoolKeyCli) installed with DataCore SANsymphony to export the key for each pool. For details on the Data-at-Rest Pool Key tool and support commands, see Data-at-Rest Pool Key Tool.
Enabling Encryption
Enabling Encryption for a New Virtual Disk
To enable encryption during the creation of a new virtual disk, select the Encrypted check box in step 1 of the wizard, Set Virtual Disk Properties.
For details on the overall process of creating a new virtual disk, see Creating Virtual Disks.
Enabling Encryption for an Existing Virtual Disk
Encryption can be enabled at the individual virtual disk level or for an entire virtual disk group in the DataCore Management Console and using DataCore Cmdlets as well.
From the Virtual Disks List
In the VIrtual Disks list, right-click the virtual disk or virtual disk group you want to enable encryption for and select Encryption > Enable from the shortcut menu.
From the Virtual Disk Details Page
- In DataCore Servers panel or Hosts Panel, expand Virtual Disks and click the virtual disk to open the details page. Alternatively, double-click a virtual disk in the Virtual Disks list.
- Click the Settings tab.
- Select the Encrypted check box.
- Click Apply.
Enabling Encryption in PowerShell
Set the EncryptionEnabled parameter of Set-DcsVirtualDiskProperties to 1.
For full details on this cmdlet, refer to the DataCore Cmdlet Reference Guide.
Disabling Encryption
Encryption can be disabled at the individual disk level or for an entire virtual disk group in the DataCore Management Console and using DataCore Cmdlets as well.
After all the encrypted virtual disks are removed/changed to an unencrypted state, there is a delay of 30 seconds before the disk pool state changes from encrypted to unencrypted. On disabling the encryption, the encryption key is removed from the pool and deleted from the system. Foreign pool import does not require an encryption key once the diskpool is unencrypted.
From the Virtual Disks List
Right-click the virtual disk or virtual disk group you want to disable encryption for and select Encryption > Disable from the shortcut menu.
From the Virtual Disk Details Page
- In DataCore Servers panel or Hosts Panel, expand Virtual Disks and click the virtual disk to open the details page. Alternatively, double-click a virtual disk in the Virtual Disks list.
- Click the Settings tab.
- Clear the Encrypted check box.
- Click Apply.
Disabling Encryption in PowerShell
Set the EncryptionEnabled parameter of Set-DcsVirtualDiskProperties to 0.
For full details on this cmdlet, refer to the DataCore Cmdlet Reference Guide.
Encryption and Capacity Optimization
Prior to DataCore SANsymphony 10.0 PSP18, encryption and Capacity Optimization were two mutually exclusive options for the virtual disks. To provide flexibility in handling data, virtual disk data can now be stored in both encrypted and Capacity Optimized (CO) formats using the encryption (AES-256-GCM) support provided by the ZFS framework.
The key, required to access the encrypted and CO data, gets preserved like a regular encrypted key. For more information, see Encryption Key.
Enabling Encryption and Capacity Optimization for a New Virtual Disk
To enable encryption and Capacity Optimization during the creation of a new virtual disk, select the Encrypted and Capacity Optimization check boxes in Step 1: Set Virtual Disk Properties of the wizard.
On enabling encryption and Capacity Optimization, the virtual disk data gets encrypted and capacity optimized, and gets stored in the CO subsystem based on the Capacity Optimization options selected by the user.
Enabling Encryption and Capacity Optimization for an Existing Virtual Disk
To enable encryption and Capacity Optimization for an existing virtual disk, select the Encrypted and Capacity Optimization check boxes in the virtual disk’s Settings tab.
Disabling Encryption and Capacity Optimization for a New Virtual Disk
To disable encryption and Capacity Optimization for a new or an existing virtual disk, deselect the Encrypted and Capacity Optimization check boxes in Step 1: Set Virtual Disk Properties of the wizard.
Disabling Encryption and Capacity Optimization for an Existing Virtual Disk
To enable encryption and Capacity Optimization for an existing virtual disk, deselect the Encrypted and Capacity Optimization check boxes in the virtual disk’s Settings tab.