Enabling Encryption of Data at Rest
About this task
Enable or disable data-at-rest encryption at the volume level using the Control
System, CLI, and REST API if encryption of data at rest is enabled at the cluster
level. If you installed using the Installer and selected the
Enable DARE option, the cluster is automatically enabled
for data-at-rest encryption during installation.
NOTE
Conversion of existing
HPE Ezmeral Data Fabric clusters to data-at-rest
encryption is not currently supported. If you need to convert an existing
non-DARE cluster to DARE, contact HPE
support.If encryption is enabled at the cluster level, data-at-rest encryption is also
enabled at the volume level by default through the
mapr.volume.dare.default
configuration parameter. If you do not
wish to encrypt data at rest in a volume, you can disable encryption when you create
a volume. You cannot modify the data-at-rest encryption setting on a volume after
the volume is created. For more information, see the following later on this
page:Standard volumes inherit the data-at-rest encryption setting from a volume by default
if the inherit
property is specified. If you create a mirror volume
for a source volume enabled for data-at-rest encryption, the mirror volume:
- Inherits the data-at-rest encryption setting from the source volume if the mirror volume is in the same cluster as the source volume or if the mirror volume is on a remote cluster enabled for encryption of data at rest.
- Does not inherit the data-at-rest encryption setting from the source volume if the mirror volume is on an unsecure cluster, or if the mirror volume is on secure cluster that is not enabled for encryption of data at rest.
NOTE
If you want to create a mirror volume enabled for data-at-rest
encryption for a source volume not enabled for data-at-rest encryption, set the
value to true
for the dare
property after
creating the mirror volume.This section describes how to enable data-at-rest encryption at the volume level.
Enabling or Disabling Data-at-Rest Encryption at the Volume Level Using the Control System
About this task
You can enable data-at-rest encryption at the volume level only if data-at-rest encryption is
enabled at the cluster level. If necessary, refer to Determining if a Secure Cluster is Enabled for Encryption Using the Control System to determine if the cluster is enabled for encryption of data at rest before
enabling data-at-rest encryption on a volume.
NOTE
If you do not want to encrypt
data at rest in a volume, disable encryption after you create a volume. You
cannot modify data-at-rest encryption setting on a volume after the volume
is created.To enable or disable data-at-rest encryption for a new volume using the Control System:
Procedure
- Log in to the Control System and click .
- Click Create Volume to display the Create New Volume page.
-
Select volume type, specify values for required and optional
properties, and set the value for the Data at Rest
Encryption property to Yes
(to enable) or No (to disable).
See Creating a Volume for more information.
- Click Create Volume to create a volume enabled for encryption of data at rest.
Enabling or Disabling Data-at-Rest Encryption at the Volume Level Using the CLI and REST API
About this task
You can enable DARE at the volume level only if data-at-rest encryption is
enabled at the cluster level. If necessary, refer to Determining if a Secure Cluster is Enabled for Encryption of Data at Rest Using the CLI and REST API to determine if the cluster is enabled for encryption of data at rest before
enabling a volume for data-at-rest encryption.
NOTE
If you do not want to
encrypt data at rest in a volume, disable encryption after you create that
volume. You cannot modify data-at-rest encryption setting on a volume after
the volume is created.Set the value for the
dare
parameter to one of the
following when you create the volume:true
to enable data-at-rest encryption.NOTEtrue
is the default value.For example:maprcli volume create -name <volName> -path <volMountPath> [-dare true]
false
to disable data-at-rest encryption.For example:maprcli volume create -name <volName> -path <volMountPath> -dare false
Send a request of type POST and set the value for the
dare
parameter to one of the following when you
create the volume:true
to enable data-at-rest encryption.NOTEThis is the default value.For example:curl -k -X POST 'https://abc.sj.us:8443/rest/volume/create?name=<volName>&path=<volMountPath>[&dare=true]' --user mapr:mapr
false
to disable data-at-rest encryption.For example:curl -k -X POST 'https://abc.sj.us:8443/rest/volume/create?name=<volName>&path=<volMountPath>&dare=false' --user mapr:mapr
volume create
for
more information.