Encrypting Existing Swarm Volumes Manually

If you are retiring volumes so that you can implement encryption at rest, you will need to then reformat and remount the volumes. You will need to follow the manual process outlined below. (v10.1)

To convert existing volumes to use encryption-at-rest, migrate the data using a chassis-by-chassis approach:

1. Enable the encryption-at-rest settings for the cluster, which will apply to newly formatted volumes.
2. Starting with the first chassis, retire it: from the Storage UI, select Cluster > Hardware, open the Chassis Details, and select Retire from the action (gear) menu.
   
3. Wait for all of its volumes to reach a status of "retired".
4. From the system console on the physical chassis, stop the storage processes: System Control > 3. Stop Storage Processes
5. Format all of the disks, which will now be encrypted: Disk Volumes > ALL

6. Reboot the chassis: System Control > 1. Reboot System
   As Swarm detects each new volume, it formats it as encrypted (using the disk.encryptionKeyPrimary value) and mounts it.

   Note

   You may change the key used to encrypt new Swarm volumes at any time, but your existing Swarm volumes will not be re-encrypted. To re-encrypt them, retire and reformat them, using the new encryption key.

7. With the first chassis complete, repeat all steps until every chassis has been converted.

Related articles

• Page:
  Encryption At Rest (EAR) Considerations for Swarm Upgrades
• Page:
  Encrypting Existing Swarm Volumes Manually
• Page:
  TechNote 2016002: Full-disk Encryption