Node Encryption
Use node encryption when a node needs disk encryption at rest from the time it is created.
Node encryption is a creation-time setting. After an encrypted node is launched, encryption remains enabled for the lifetime of that node. You cannot turn encryption on for an existing non-encrypted node, and you cannot disable encryption on an encrypted node.
This page explains how encryption fits into node management. For the full node launch flow, see Create a node.
What Node Encryption Protects
Node encryption protects the node disk data at rest. When enabled, the node is launched with encryption metadata attached to the node disk configuration.
Use node encryption when:
- Your workload has a data-at-rest encryption requirement.
- You need encryption to be part of the node from launch.
- You want snapshots and saved-image flows to preserve the encrypted node context where supported.
- You want the node list and node detail page to clearly identify encrypted nodes.
Node encryption is not the same as network encryption. Use SSH, RDP over secure networks, TLS, VPN, security groups, and application-level encryption for data in transit.
When You Can Enable Encryption
You can enable encryption only during node creation.
In the create-node flow:
- Select the operating system, node category, instance family, and plan.
- Open Advanced settings.
- Enable encryption if the option is shown for the selected node configuration.
- Add a passphrase if you want to provide one.
- Review the Summary before launching the node.
The portal shows the encryption option only when the selected node path supports it. Availability can depend on node family, image, region, account settings, and selected service path.
Some accounts can have profile settings that preselect encryption. Always review the Summary before launching the node.
Passphrase Behavior
The passphrase field is optional for node encryption. If you enter a passphrase, the portal validates it before launch.
For node encryption, the passphrase must:
- Be 8 to 12 characters long
- Include at least one uppercase letter
- Include at least one lowercase letter
- Include at least one special character
Use a passphrase you can manage securely. If your organization requires passphrase-based recovery or audit handling, store it according to your internal security policy before launching the node.
Do not put the passphrase in support tickets, comments, public repositories, scripts, or documentation. Treat it as a secret.
How to Identify an Encrypted Node
After launch, encrypted nodes are marked in the node list and node details area.
Use this status to confirm whether a node was created with encryption enabled. If the encryption indicator is not present, treat the node as non-encrypted.
Because encryption cannot be added after launch, the usual path for moving a workload from a non-encrypted node to encrypted storage is:
- Create a new node with encryption enabled.
- Migrate or restore the workload data to the encrypted node.
- Verify the application and access paths.
- Retire the old node only after backups and data validation are complete.
How Encryption Affects Node Management
Encryption can affect the actions available for a node.
| Area | What to expect |
|---|---|
| Node actions | Encryption itself cannot be toggled after launch. Other actions remain state-dependent. |
| Snapshots | Snapshots created from encrypted nodes should be treated as part of the encrypted node data lifecycle. |
| Saved images | Saved images created from encrypted nodes can preserve encryption context where supported. |
| Disaster Recovery | Review DR availability for encrypted nodes before relying on a DR workflow. |
| Deletion | Deleting the node does not remove the need to review related saved images, snapshots, backups, volumes, public IPs, and Add-on IPs. |
If an action is missing or disabled, use Action Availability to check encryption status together with node state, lock status, attached services, and plan eligibility.
Encryption and Backups
Node encryption and CDP backup encryption are separate settings.
| Setting | Where it is configured | What it controls |
|---|---|---|
| Node encryption | Advanced settings during node creation | Disk encryption at rest for the node. |
| Backup encryption | Backup section during node creation or backup workflow where supported | Encryption behavior for backup recovery data. |
Enabling node encryption does not mean every backup workflow uses the same passphrase or the same validation rules. Review the backup section separately if you enable CDP Backup.
For backup behavior, see CDP Backups.
Encryption and Images
When you save an image from an encrypted node, treat that saved image as security-sensitive.
Before using a saved image from an encrypted node:
- Confirm that the new node flow shows the expected image.
- Review whether encryption is preserved or required for the target node path.
- Choose a compatible plan.
- Confirm access settings, security group, backup, and networking before launch.
For node-image behavior in the management context, see Node Images.
Encryption and Snapshots
Snapshots are point-in-time copies of node storage. For encrypted nodes, snapshots should be managed as part of the encrypted node data lifecycle.
Before creating or deleting snapshots for an encrypted node:
- Confirm the node is in a valid state for snapshot actions.
- Avoid disruptive node actions while snapshot creation is in progress.
- Keep snapshots only as long as your retention policy requires.
- Lock snapshots that must not be deleted accidentally.
For node snapshot behavior in the management context, see Node Snapshots.
Before You Launch an Encrypted Node
Review these items before launching:
| Check | Why it matters |
|---|---|
| Correct OS and plan | Encryption is tied to the node created from this launch flow. |
| Passphrase handling | If you use a passphrase, store it securely before launch. |
| Backup requirements | Backup encryption is configured separately. |
| Access method | Ensure SSH keys, password access, or RDP access match your security policy. |
| Networking | Use security groups, VPC, public IPs, Add-on IPs, and application TLS as needed. |
| DR requirement | Confirm whether DR actions are available for encrypted nodes in your selected region and plan. |
| Cost impact | Review the Summary before launch. Attached services can have independent billing. |
Related Resources
| Resource | Use it for |
|---|---|
| Create a node | Launch a node and enable encryption during creation. |
| Manage Nodes | Review node details and lifecycle actions after launch. |
| Node Images | Understand how encryption interacts with saved images. |
| Node Snapshots | Understand how encryption interacts with snapshots. |
| Action Availability | Check why encrypted-node actions are hidden, disabled, or rejected. |
| Connect to a Linux node | Access encrypted Linux nodes after launch. |
| Connect to a Windows node | Access encrypted Windows nodes after launch. |
| CDP Backups | Manage backup and recovery behavior separately from node encryption. |
| SSH Key Management | Manage SSH keys used for secure node access. |