Configuring Automatic Data Encryption for a Cloud VM Set

The following procedure describes how to configure Automatic Data Encryption for an existing Cloud VM Set. If you want to create a new Cloud VM Set with Automatic Data Encryption, see Creating a Cloud VM Set for the Cryptographic Security Platform Vault for VM Encryption.

  1. Log into the Cryptographic Security Platform Vault for VM Encryption using an account with Cloud Admin privileges.

  2. In the top menu bar, click Workloads.
  3. On the VM Sets tab, select the Cloud VM Set you want to change. The Cryptographic Security Platform Vault webGUI displays the Cloud VM Set properties below the list of Cloud VM Sets.

  4. On the Details tab, look at the Auto Encryption field. If it says Disabled, then no automatic encryption will be performed for the VMs in this Cloud VM Set.

    If it says Enabled, then whenever a new VM is registered with this Cloud VM Set, Cryptographic Security Platform Vault will automatically instruct the Policy Agent on that VM to encrypt one or more of the drives on that VM based on the Automatic Data Encryption Policy.

  5. To change the Auto Encryption Settings, click the current setting and, in the Auto Encryption Settings for VM Set dialog box, do the following:

    1. To change whether the feature is enabled or disabled, in the Auto Encrypt field, click the current setting and select Enabled or Disabled from the drop-down list, then click Save.

    2. If the feature is enabled, make sure the Auto Encryption Policy Type is set correctly. You can select:

      • Exclude—The Windows drives and Linux devices listed in the Auto Encryption Policy Path(s) field will not be automatically encrypted, although they can be encrypted manually at any time. This is the default.
      • Include—The Windows drives and Linux devices listed in the Auto Encryption Policy Path(s) field will be automatically encrypted. All other drives or devices on the VMs must be encrypted manually.
      • Encrypt All Devices—All Windows drives and Linux devices will be automatically encrypted.

    3. If the policy type is Exclude or Include, make sure the Auto Encryption Policy Paths are set correctly. To add additional paths, click the blue + (Plus sign) in this field. You can enter either a Windows drive a Linux device name. For example, any of the following would be valid path names: C:, C:\data, or sdb1.

      Important: Each path must be on its own line.

  6. When you are done, click Save.

  7. When prompted, choose whether you want the changes you just made propagated to all VMs currently registered with the Cloud VM Set. If you select No, the new settings will only be inherited by any new VMs that are registered with the Cloud VM Set after the changes have been saved. No changes will be made on the currently-registered VMs.

    If you select Yes:

    • All local changes made to the Auto Encryption settings on the individual VMs will be lost.
    • If you enabled the feature or if you changed the Auto Encryption Policy paths, Cryptographic Security Platform Vault will analyze all disks on all VMs currently registered with the Cloud VM Set and it will automatically tell the appropriate Policy Agents to encrypt any unencrypted disks that meet the new criteria. Cryptographic Security Platform Vault will not, however, tell the Policy Agents to decrypt any disk that no longer meets the auto encryption criteria. Once a disk has been encrypted, it must be decrypted manually.