Data Encryption

The data vault feature manages encryption of all data volumes including archives. By default, the data vault is disabled and the data volumes are in unlocked state.

Enabling the data vault feature begins the encryption of data volumes; but after encryption is complete, the data volumes are unlocked and are accessible to users. An administrator logged in via the CLI as root has the rights to enable or unlock the data vault, to check the status of the data volumes, to change the password of the data vault, or to enable or disable the auto-unlock option of the data vault by running the system data_vault command.

If the system is restarted for any purpose by any user, the data volumes are locked. If N was entered at the prompt Save the password to automatically decrypt the data on boot time? (y/N) while enabling the data vault feature, an administrator user must run the data_vault command to unlock the data volumes to resume using the data volumes. Whereas, if y was entered at the prompt while enabling the data vault feature, the data volumes are automatically unlocked after the system restarts.

Once the data vault is enabled, the local volume and the remote archive storage are encrypted, including the existing archive mount point and the archive mount point that is added after turning on the data vault feature.

After turning the data vault feature on, only the new data on the remote archive is encrypted. To encrypt existing data on the remote archive before turning the data vault on, you must run the script /loglogic/scripts/dv_convert.py. However, no additional action is required in case of local storage.