---
title: Encryption
---

# Cluster Encryption

E2E Kubernetes supports **encryption at rest** for a cluster's disks. Encryption protects the data stored on the master and worker nodes' volumes.

Encryption is configured **only at creation time** and cannot be enabled or disabled on an existing cluster.

---

## Enable Encryption

When you [create a cluster](/docs/myaccount/kubernetes/getting-started/create-cluster#advanced-settings), open **Advanced Settings** and select **Enable Encryption**.

- A **passphrase** is optional. If you provide one, keep it safe - it is part of protecting the encrypted volumes.
- Encrypted clusters are marked with a lock icon next to the cluster name in the Kubernetes list and on the cluster details page.

---

## What Encryption Covers

Encryption applies to the cluster's node disks (data at rest). It does not change how you connect to the cluster or use `kubectl`, and it does not affect persistent volumes you provision separately - see [Persistent Volumes](/docs/myaccount/kubernetes/manage/persistent-volumes) for storage options.

---

## Related Resources

| Resource                                                                      | Use it for                                     |
| ----------------------------------------------------------------------------- | ---------------------------------------------- |
| [Create a Cluster](/docs/myaccount/kubernetes/getting-started/create-cluster) | Enable encryption during creation.             |
| [Node Encryption](/docs/myaccount/node/features/encryption)                   | Encryption-at-rest behavior for compute nodes. |
| [Security Groups](/docs/myaccount/kubernetes/manage/security-groups)          | Network-level security for the cluster.        |