Overview
Volume encryption provides transparent at-rest protection for block storage data. Encryption is configured per volume type — all volumes created from an encrypted type are automatically encrypted without any additional action from you. Encryption keys are managed by the Xloud Key Management service and retrieved at volume attach time by the volume service, ensuring keys are never stored on the compute node’s disk.
Administrator Access Required — This operation requires the admin role. Contact your
Xloud administrator if you do not have sufficient permissions.
Disk encryption is enabled through the XDeploy Configuration panel:Enable KMS first
Navigate to XDeploy → Configuration → Advance Features and ensure
Enable KMS is set to Yes. Disk encryption requires the Xloud Key
Management service to store and manage encryption keys.
Enable Disk Encryption
On the same Advance Features tab, set Enable Disk Encryption to Yes.
Save and deploy
Click Save Configuration, then navigate to XDeploy → Operations and
run a Deploy or Reconfigure for the Block Storage and Key Management
services.Disk encryption is enabled. Create encrypted volume types to apply encryption to new volumes.
KMS must be fully deployed and accessible from all compute nodes before enabling
disk encryption. If KMS is unreachable, encrypted volume attach operations will fail.
Configure encryption by creating encrypted volume types via the CLI. The Key Management
service must be deployed and accessible before proceeding. See the configuration steps below.
Prerequisites
- Administrator credentials with the
admin role
- Xloud Key Management service deployed and accessible
- At least one unencrypted volume type to apply encryption to (or create a new type)
- All compute nodes must be able to reach the Key Management service API
Encryption Architecture
| Component | Role |
|---|
| Block Storage API | Creates volume with encryption metadata; requests key from KMS |
| Key Management Service | Generates and stores the encryption key; returns it at attach time |
| Volume Service | Provisions the volume on the backend with encryption metadata |
| Hypervisor (dm-crypt) | Applies LUKS encryption/decryption at the block device layer |
Encryption settings cannot be added to or removed from a volume type that already has
volumes. Create a new encrypted volume type and migrate existing volumes if encryption
is required on previously unencrypted data.
Select the volume type to encrypt
Log in to the Xloud Dashboard (https://connect.<your-domain>) and navigate to
Admin → Volumes → Volume Types. Click the volume type name to open its
details page.
Create encryption settings
Click Create Encryption. Configure the parameters:| Field | Recommended Value | Description |
|---|
| Provider | LuksEncryptor | LUKS-based encryption via dm-crypt |
| Cipher | aes-xts-plain64 | AES-XTS — FIPS-compatible, hardware-accelerated |
| Key Size | 256 | Key length in bits (256 for AES-256) |
| Control Location | front-end | Encryption applied at the hypervisor layer |
aes-xts-plain64 with a 256-bit key provides AES-256 encryption. This cipher
is hardware-accelerated on all modern CPUs (AES-NI) and meets FIPS 140-2
requirements when combined with a FIPS-validated key management service.
Verify encryption is active
The volume type details page now shows an encryption configuration block.
All new volumes created from this type will be encrypted automatically.Volume type encryption configured — all new volumes of this type are encrypted at rest.
Authenticate
Source your credentials file to authenticate with the Xloud platform:Download the OpenRC file from Xloud Dashboard → Project → API Access → Download OpenStack RC File.
Create an encrypted volume type
Create a new type specifically for encrypted volumes:Create encrypted volume type
openstack volume type create \
--description "SSD — AES-256 encrypted at rest" \
ssd-encrypted
openstack volume type set \
--property volume_backend_name=ssd-backend \
ssd-encrypted
Enable encryption on the type
Configure LUKS encryption
openstack volume type set \
--encryption-provider LuksEncryptor \
--encryption-cipher aes-xts-plain64 \
--encryption-key-size 256 \
--encryption-control-location front-end \
ssd-encrypted
Verify encryption configuration
openstack volume type show ssd-encrypted -c encryption
Encryption configured on the volume type. New volumes will be encrypted automatically.
Test Encryption
Verify that encryption is working end-to-end by creating and attaching a test volume:
Create an encrypted volume
Create test encrypted volume
openstack volume create \
--size 10 \
--type ssd-encrypted \
test-encrypted-volume
Attach to an instance
openstack server add volume <instance-id> test-encrypted-volume
Verify LUKS inside the instance
SSH into the instance and check the block device:sudo cryptsetup isLuks /dev/vdb && echo "LUKS encrypted" || echo "Not encrypted"
Device reports LUKS encryption — volume is encrypted at rest.
Clean up
Detach and delete test volume
openstack server remove volume <instance-id> test-encrypted-volume
openstack volume delete test-encrypted-volume
Key Management Dependency
Encryption key loss means the volume data is permanently inaccessible — there is no
recovery path without the key. Before enabling volume encryption in production, ensure
the Xloud Key Management service is:
- Deployed in a high-availability configuration
- Backed up regularly (key database backup)
- Accessible from all compute nodes that may attach encrypted volumes
Per-Volume Selective Encryption
Xloud-Developed — This capability is developed by Xloud and ships with XAVS / XPCI.
- Per-tenant key isolation — each tenant’s encryption keys are stored and managed independently in the Xloud Key Management service. Tenants cannot access each other’s keys, even if they share the same storage backend.
- Three independent encryption layers — Xloud provides encryption at three distinct levels that can be enabled independently or together:
| Layer | Scope | Encryption Point |
|---|
| Storage device encryption | Full disk on physical storage nodes | Hardware or dm-crypt on the OSD device |
| Block volume encryption | Individual persistent volumes | LUKS at the hypervisor (dm-crypt) per volume type |
| Compute ephemeral disk encryption | Instance root and ephemeral disks | LUKS at the hypervisor for ephemeral storage |
For most deployments, block volume encryption alone satisfies data-at-rest compliance
requirements. Add storage device encryption for defense-in-depth on shared infrastructure,
and ephemeral disk encryption for instances that process sensitive data without persistent volumes.
Next Steps
Key Manager User Guide
Manage encryption keys and secrets in the Xloud Key Management service
Volume Types & QoS
Create and manage volume types with backend associations
Security Hardening
Additional security policies for Block Storage
Admin Guide
Return to the Block Storage administration overview
