Entity Encryption or Data-at-Rest Encryption cluster encryption?? | Nutanix Community
Skip to main content
Solved

Entity Encryption or Data-at-Rest Encryption cluster encryption??


Forum|alt.badge.img+2

We have a new cluster running AOS6.10 AHV which is nearly ready to go into production it will be replacing two older clusters running ESX.  Currently it has no encryption enabled. What is the best option, pros\cons of full cluster encryption compared to Entity Encryption (VM) using storage policies?  Its a 4 node cluster and will be hosting around 170 VM’s.

Best answer by jmotto9

It all depends on the security standard the data requires. The safest suggestion unless you require the highest level (federal government security standard) would be to just encrypt the storage containers. Then worst case scenario is you lose your data and have to restore from backups into new storage containers instead of rebuilding the entire cluster. you can do this with encryption at rest. Encryption each individual entity sounds like alot of extra work and management. If you elect to not encrypt the cluster as well then you can have both non encrypted and encrypted storage containers if required. performance impacts are near 0

View original
Did this topic help you find an answer to your question?

2 replies

  • Voyager
  • 1 reply
  • Answer
  • January 23, 2025

It all depends on the security standard the data requires. The safest suggestion unless you require the highest level (federal government security standard) would be to just encrypt the storage containers. Then worst case scenario is you lose your data and have to restore from backups into new storage containers instead of rebuilding the entire cluster. you can do this with encryption at rest. Encryption each individual entity sounds like alot of extra work and management. If you elect to not encrypt the cluster as well then you can have both non encrypted and encrypted storage containers if required. performance impacts are near 0


Forum|alt.badge.img+2
  • Author
  • Trailblazer
  • 31 replies
  • January 24, 2025

we also have had a NC2 cluster spun up and the PS SME just turned on data at rest on that cluster so I might just match what that’s been set to


Reply