Enabling Encryption of Data at Rest

About this task

Enable or disable data-at-rest encryption at the volume level using the Control System, CLI, and REST API if encryption of data at rest is enabled at the cluster level. If you installed using the Installer and selected the Enable DARE option, the cluster is automatically enabled for data-at-rest encryption during installation.
NOTE
Conversion of existing HPE Ezmeral Data Fabric clusters to data-at-rest encryption is not currently supported. If you need to convert an existing non-DARE cluster to DARE, contact HPE support.
If encryption is enabled at the cluster level, data-at-rest encryption is also enabled at the volume level by default through the mapr.volume.dare.default configuration parameter. If you do not wish to encrypt data at rest in a volume, you can disable encryption when you create a volume. You cannot modify the data-at-rest encryption setting on a volume after the volume is created. For more information, see the following later on this page:

Standard volumes inherit the data-at-rest encryption setting from a volume by default if the inherit property is specified. If you create a mirror volume for a source volume enabled for data-at-rest encryption, the mirror volume:

  • Inherits the data-at-rest encryption setting from the source volume if the mirror volume is in the same cluster as the source volume or if the mirror volume is on a remote cluster enabled for encryption of data at rest.
  • Does not inherit the data-at-rest encryption setting from the source volume if the mirror volume is on an unsecure cluster, or if the mirror volume is on secure cluster that is not enabled for encryption of data at rest.
NOTE
If you want to create a mirror volume enabled for data-at-rest encryption for a source volume not enabled for data-at-rest encryption, set the value to true for the dare property after creating the mirror volume.

This section describes how to enable data-at-rest encryption at the volume level.

Enabling or Disabling Data-at-Rest Encryption at the Volume Level Using the Control System

About this task

You can enable data-at-rest encryption at the volume level only if data-at-rest encryption is enabled at the cluster level. If necessary, refer to Determining if a Secure Cluster is Enabled for Encryption Using the Control System to determine if the cluster is enabled for encryption of data at rest before enabling data-at-rest encryption on a volume.
NOTE
If you do not want to encrypt data at rest in a volume, disable encryption after you create a volume. You cannot modify data-at-rest encryption setting on a volume after the volume is created.

To enable or disable data-at-rest encryption for a new volume using the Control System:

Procedure

  1. Log in to the Control System and click Data > Volumes.
  2. Click Create Volume to display the Create New Volume page.
  3. Select volume type, specify values for required and optional properties, and set the value for the Data at Rest Encryption property to Yes (to enable) or No (to disable).
    See Creating a Volume for more information.
  4. Click Create Volume to create a volume enabled for encryption of data at rest.

Enabling or Disabling Data-at-Rest Encryption at the Volume Level Using the CLI and REST API

About this task

You can enable DARE at the volume level only if data-at-rest encryption is enabled at the cluster level. If necessary, refer to Determining if a Secure Cluster is Enabled for Encryption of Data at Rest Using the CLI and REST API to determine if the cluster is enabled for encryption of data at rest before enabling a volume for data-at-rest encryption.
NOTE
If you do not want to encrypt data at rest in a volume, disable encryption after you create that volume. You cannot modify data-at-rest encryption setting on a volume after the volume is created.
Set the value for the dare parameter to one of the following when you create the volume:
  • true to enable data-at-rest encryption.
    NOTE
    true is the default value.
    For example:
    maprcli volume create -name <volName> -path <volMountPath> [-dare true]
  • false to disable data-at-rest encryption.
    For example:
    maprcli volume create -name <volName> -path <volMountPath> -dare false
Send a request of type POST and set the value for the dare parameter to one of the following when you create the volume:
  • true to enable data-at-rest encryption.
    NOTE
    This is the default value.
    For example:
    curl -k -X POST 'https://abc.sj.us:8443/rest/volume/create?name=<volName>&path=<volMountPath>[&dare=true]' --user mapr:mapr
  • false to disable data-at-rest encryption.
    For example:
    curl -k -X POST 'https://abc.sj.us:8443/rest/volume/create?name=<volName>&path=<volMountPath>&dare=false' --user mapr:mapr
See volume create for more information.