---
title: "Node Encryption"
---

# Troubleshooting Node Encryption

E2E Networks uses LUKS (Linux Unified Key Setup) for full-disk encryption of nodes. Encryption is configured at the time of node creation and is a permanent property of the node — this leads to a small number of recurring questions, summarized below.

## How E2E Node Encryption Works (Quick Reference)

- Encryption is enabled by checking **Enable Encryption** during node creation.
- An optional **passphrase** can be set to add a layer of security.
- LUKS encrypts at the **block level** using the `aes-xts-plain64` cipher with a **512-bit key**.
- Both **root** and **data** volumes are fully encrypted.
- Logical Volume Management (LVM) volumes are also encrypted at the infrastructure level — this is invisible to the user and requires no setup.
- Snapshots taken from encrypted nodes are themselves encrypted.

## Common Issues

| Issue                                                                | What to do                                                                                                                                                                                        |
| -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Enable Encryption** is missing during create                       | Encryption is supported on **Linux Virtual Node** and **Linux Smart Dedicated Compute** categories only. Pick a supported category.                                                               |
| Need to enable encryption on an existing node                        | Not possible. Encryption can **only be enabled at node creation** — it cannot be turned on later. Create a new encrypted node and migrate data.                                                   |
| Need to disable encryption on an existing node                       | Not possible. Encryption is permanent for the lifetime of the node. Create a new unencrypted node and migrate data if needed.                                                                     |
| Saved image of an encrypted node is unencrypted                      | Expected. **Save Encrypted Image is not currently supported.** Whether the source node is encrypted or not, the saved image is always unencrypted.                                                |
| Encryption flag missing on a Running node                            | The flag only appears on nodes that were created with **Enable Encryption** checked. If it is missing, the node is not encrypted.                                                                 |
| New node from an encrypted snapshot is not encrypted                 | Expected. When you create a node from an encrypted snapshot/image, you must **explicitly tick Enable Encryption** during node creation. The new node does not inherit encryption from the source. |
| Snapshot from an unencrypted node is unencrypted                     | Expected. Snapshots inherit the encryption state of the source node. To make a new encrypted node from this snapshot, save it as an image and tick Enable Encryption during create.               |
| Lost private key on an encrypted node with password login disabled   | New SSH keys can be added through the MyAccount portal if supported by the node configuration. Plan key management carefully before disabling password login.                                     |
| Export Image is rejected for an image created from an encrypted node | Expected. The Export Image feature is not available for images created from encrypted nodes. Note that Export Image is also **region-dependent**, some regions may support it and some may not, independent of the encryption constraint. |

## Identifying Whether a Node is Encrypted

After the node is created, the encryption status appears on the **Manage Node** page:

- **Non-encrypted nodes** — the encryption flag is not displayed.
- **Encrypted nodes** — the encryption flag is clearly visible in the node details.

If the flag is missing, the node is not encrypted — you cannot retroactively check encryption from inside the node without creating a new node.

## Snapshot Inheritance Rules

| Source           | Snapshot    | Image From Snapshot                             | New Node from Image                                        |
| ---------------- | ----------- | ----------------------------------------------- | ---------------------------------------------------------- |
| Encrypted node   | Encrypted   | Unencrypted (Save Image is not encrypted-aware) | Encrypted only if you tick **Enable Encryption** at create |
| Unencrypted node | Unencrypted | Unencrypted                                     | Encrypted only if you tick **Enable Encryption** at create |

Encryption **does not propagate automatically across images**. Every new node is independently configured for encryption at create time.

## How to Move from Unencrypted to Encrypted

To migrate an existing unencrypted node to an encrypted one:

1. Save an image of the current node (the image will be unencrypted).
2. From **Saved Images**, click **+ Create Node** on the image.
3. On the create flow, expand **Advanced Settings** and tick **Enable Encryption**. Optionally set a passphrase.
4. Launch the node. It will boot with the source's data, now stored on an encrypted volume.
5. Verify the application, then decommission the unencrypted node when ready.

The same approach works from an unencrypted snapshot — convert the snapshot to a saved image first, then create the encrypted node from the image.

## Related Resources

- [Create Encrypted Node](/docs/myaccount/node/features/encryption)
- [Node Encryption Overview](/docs/myaccount/node/features/encryption/)
- [Snapshots](/docs/myaccount/node/features/snapshots)
- [Image Import and Export](./image-import-export.md)

---