Local Disk Encryption

docs/products/compute/compute-instances/guides/create/index.md

@@ -3,7 +3,7 @@ title: "Create a Compute Instance"
 title_meta: "Create a Compute Instance on the Linode Platform"
 description: "Learn how to create a new Compute Instance, including choosing a distribution, region, and plan size."
 published: 2022-04-19
-modified: 2024-06-20
+modified: 2024-07-03
 keywords: ["getting started", "deploy", "linode", "linux"]
 aliases: ['/guides/creating-a-compute-instance/','/products/compute/dedicated-cpu/guides/deploy/']
 ---
@@ -14,12 +14,13 @@ This guide walks you through creating a Compute Instance (also frequently called
 - [Choose a Distribution, App, or Image](#choose-a-distribution-app-or-image)
 - [Select a Region](#select-a-region)
 - [Choose an Instance Type and Plan](#choose-an-instance-type-and-plan)
-- [Set the Label and Add Tags](#set-the-label-and-add-tags)
+- [Set the Label, Add Tags, and Assign a Placement Group](#set-the-label-add-tags-and-assign-a-placement-group)
 - [Create a Password and Add SSH Keys](#create-a-password-and-add-ssh-keys)
-- [Assign to a VPC (Optional) {#assign-to-a-vpc}](#assign-to-a-vpc-optional-assign-to-a-vpc)
-- [Assign to a Cloud Firewall (Optional) {#assign-to-a-cloud-firewall}](#assign-to-a-cloud-firewall-optional-assign-to-a-cloud-firewall)
-- [Assign to a VLAN (Optional) {#assign-to-a-vlan}](#assign-to-a-vlan-optional-assign-to-a-vlan)
-- [Assign to a Placement Group (Optional) {#assign-to-a-placement-group}](#assign-to-a-placement-group-optional-assign-to-a-placement-group)
+- [Enable or Disable Local Disk Encryption](#enable-or-disable-local-disk-encryption)
+- [Assign to a VPC (Optional)](#assign-to-a-vpc-optional)
+- [Assign to a Cloud Firewall (Optional)](#assign-to-a-cloud-firewall)
+- [Assign to a VLAN (Optional)](#assign-to-a-vlan)
+- [Assign to a Placement Group (Optional)](#assign-to-a-placement-group)
 - [Configure Additional Options](#configure-additional-options)
 - [Add User Data](#add-user-data)
 - [Deploy the Instance](#deploy-the-instance)
@@ -77,14 +78,20 @@ You can resize to a different plan size or instance type at any time. This means
 
 {{% content "instance-comparison-shortguide" %}}
 
-## Set the Label and Add Tags
+## Set the Label, Add Tags, and Assign a Placement Group
 
-![Label selection in Cloud Manager](create-instance-label.png)
+![Label selection in Cloud Manager](create-label-tag-pg.jpg)
 
 - **Label:** The label is the name of the Compute Instance, allowing you to easily identify it from other instances. A good label should provide some indication as to what the instance is used for. As an example, a label of `acme-web-prod` may indicate that the instance is the production website for the company Acme. If you have already implemented your own naming conventions for your cloud infrastructure, follow those conventions. Labels must only use letters, numbers, underscores, dashes, and periods.
 
 - **Tags:** Adding tags gives you the ability to categorize your Linode services however you wish. If you're a web development agency, you could add a tag for each client you have. You could also add tags for which services are for development, staging, or production.
 
+- **Placement Groups:** (Optional) Add this Compute Instance to a Placement Group to manage its physical location in a data center ("region"). Placement Groups can be set up to group your compute instances close together to help with performance, or further apart to support high availability. Placement Groups are available at no additional cost, but they're not available in all regions. See [Work with Placement Groups](/docs/products/compute/compute-instances/guides/placement-groups/) to learn more.
+
+{{< note >}}
+If you don't have an existing Placement Group, you can click **Create Placement Group** to create a new one. This takes you to a separate interface, outside creating your compute instance. For ease of use, create your compute instances in a supported region, then later create a Placement Group and assign your compute instances to it.
+{{< /note >}}
+
 ## Create a Password and Add SSH Keys
 
 ![Enter root password in Cloud Manager](create-instance-password.png)
@@ -95,7 +102,17 @@ You can resize to a different plan size or instance type at any time. This means
 
 -   **SSH Keys:** Add any SSH Keys to the root user account on the server. This enables you to log in through SSH without needing a password. SSH keys are created as a pair: a *private key* stored on your local computer and a *public key* that you can upload to remote systems and services. Since you only share your public key and your private key is kept safe and secure, this is a much more secure method for authentication than passwords. Learn more about uploading SSH keys through the Cloud Manager on the [Manage SSH Keys](/docs/products/platform/accounts/guides/manage-ssh-keys/) guide.
 
-## Assign to a VPC (Optional) {#assign-to-a-vpc}
+## Enable or Disable Local Disk Encryption
+
+Secure the data on this Linode using data at rest encryption. Data center systems take care of encrypting and decrypting for you. If you need to enable or disable **Disk Encryption** after the Linode is created, you must use Rebuild to change this setting.
+
+{{< note >}}
+Disk Encryption is not currently available in all regions.
+{{< /note >}}
+
+More information is available from the [Local Disk Encryption](/docs/products/compute/compute-instances/guides/local-disk-encryption/) guide.
+
+## Assign to a VPC (Optional)
 
 ![Screenshot of the VPC assignment section](create-instance-vpc.jpg)
 
@@ -131,16 +148,6 @@ Add this Compute Instance to a secure private network. VLANs are available at no
 In most cases, it's recommended to use a VPC over a VLAN. VPCs operate on a higher network layer and come with more IP addressing and IP routing functionality. Additionally, you can further segment out network traffic through subnets, each of which has its own CIDR range. Review [these differences](/docs/products/networking/vpc/#difference-between-private-network-options-vpcs-vlans-and-private-ips) to learn more.
 {{< /note >}}
 
-## Assign to a Placement Group (Optional) {#assign-to-a-placement-group}
-
-![Creating a receiving Linode](create-instance-pg.png)
-
-Add this Compute Instance to a Placement Group to manage its physical location in a data center ("region"). Placement Groups can be set up to group your compute instances close together to help with performance, or further apart to support high availability. Placement Groups are available at no additional cost, but they're not available in all regions. See [Work with Placement Groups](/docs/products/compute/compute-instances/guides/placement-groups/) to learn more.
-
-{{< note >}}
-If you don't have an existing Placement Group, you can click **Create Placement Group** to create a new one. This takes you to a separate interface, outside creating your compute instance. For ease of use, create your compute instances in a supported region, then later create a Placement Group and assign your compute instances to it.
-{{< /note >}}
-
 ## Configure Additional Options
 
 The following features and services can be configured during the Compute Instance's creation or at any point after.

docs/products/compute/compute-instances/guides/local-disk-encryption/index.md

@@ -0,0 +1,67 @@
+---
+title: "Local Disk Encryption"
+description: Local disk encryption helps you to protect the information stored on your Linode's disk. This guide shows how to implement local disk encryption.
+keywords: ['local disk encryption','disk encryption', 'encryption','security']
+aliases: ['/guides/local-disk-encryption/']
+tags: ["security","encryption"]
+modified: 2024-07-01
+modified_by:
+  name: Akamai
+published: 2024-07-01
+title: Local Disk Encryption
+authors: ["Akamai"]
+---
+
+Local disk encryption ensures that your data stored on compute instances is encrypted. Disk encryption protects against data leakage if the disk is ever removed from the datacenter, recycled or disposed of. Systems within the datacenter manage the encryption and decryption for you.
+
+By default, disk encryption is enabled on all compute instances.
+
+## How Local Disk Encryption Works With Different Services
+
+| Service | Local Disk Encryption Behavior |
+|------|-------|
+| [**Backups:**](/docs/products/storage/backups/) automatic full file-based snapshot of your disks taken during your preferred scheduled time slot while the compute instance is still running. |{{< note type="alert" >}}Backups are not encrypted even when they are taken from an encrypted disk.{{< /note >}} When a backup is restored, and if encryption is enabled, the data stored on the disk is encrypted again. |
+| [**Clone:**](/docs/products/compute/compute-instances/guides/clone-instance/) allows duplication of a compute instance to a new or existing instance.|<li>Data on encrypted disks remain encrypted.</li> <li>Data on unencrypted disks remain unencrypted.</li>|
+| [**Configuration Profile:**](/docs/products/compute/compute-instances/guides/configuration-profiles/) functions as a boot loader for a compute instance. This is a public image. |Never encrypted.|
+| [**Create:**](/docs/products/compute/compute-instances/guides/create/) Linux virtual machines equipped with a tailored set of resources designed to run any cloud-based workload. |Local disk encryption is enabled by default if it's available in a region. You can opt-out of disk encryption if the Linode is not part of a LKE node pool, or it is not a distributed compute instance. <br><br> After a compute instance is created, changing the stored data from encrypted to decrypted or decrypted to encrypted requires a Rebuild.</br> |
+| [**Images:**](/docs/products/tools/images/) allows you to store custom disk images in the Cloud. These images can be preconfigured with the exact software and settings and can be deployed to new or existing compute instances. |{{< note type="alert" >}}Images are not encrypted even when they are taken from an encrypted disk. {{< /note >}}When an image is deployed, and if encryption is enabled, the data stored on the disk is encrypted again. |
+| [**Migration:**](/docs/products/compute/compute-instances/guides/migrate-to-different-dc/) moves your compute instance to another data center. |During migration, a new disk is created on the destination host. Decrypted bits are copied over from the source to the destination. The new disk is encrypted if the destination host has local disk encryption enabled. |
+| [**Rebuild:**](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/) start over with a fresh Linux distribution or use a backup. | You can enable or disable disk encryption during a Rebuild. During a Rebuild, the previous encryption setting is used unless it's changed.<br> **Note:** The **Encrypt Disk** setting for Linodes attached to a node pool can not be changed.</br>|
+| [**Rescue:**](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/) boot your compute instance into Rescue Mode to perform system recovery tasks and transfer data off the disks when you suspect a corrupt file system. | When a rescue image is deployed, and if encryption is enabled, the data stored on the disk is encrypted again.|
+| [**Resize:**](/docs/products/compute/compute-instances/guides/resize/) changing a compute instances plan to resize your instance. |<li>Data on encrypted disks remain encrypted.</li> <li>Data on unencrypted disks remain unencrypted.</li> |
+
+## Considerations
+
+- Disk encryption is currently not available in all regions. Select another region to use Disk Encryption or enable encryption when it does become available using [Rebuild](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/#rebuilding).
+
+- Distributed Compute Instances are encrypted automatically if this feature is supported in the region. The disk encryption setting can not be changed.
+
+- New LKE clusters are encrypted if disk encryption is supported in the region. This disk encryption setting can not be changed.
+
+- Encryption can increase compute instance CPU overhead and decrease realized throughput.
+  - For performance sensitive workloads on linodes that are not part of a node pool, you can opt-out of disk encryption.
+  - For performance sensitive workloads on linodes that are part of a LKE node pool, you can create additional node pools to spread out the workloads if required.
+
+- If the compute instance is part of a LKE node pool, you cannot change the disk encryption setting. If a node pool is not encrypted and you want an encrypted node pool, delete the node pool and create a new node pool. New node pools are always encrypted.
+
+- After a compute instance is created, changing the stored data from encrypted to decrypted or decrypted to encrypted requires a [Rebuild](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/#rebuilding).
+
+## Check if Disk Encryption is Enabled on a Linode
+
+1.  Log in to the [Cloud Manager](https://cloud.linode.com) and click the **Linodes** link in the sidebar.
+
+1.  Click on your Linode Compute Instance from the list to view more details.
+
+1.  Within the top *Summary* section, you can view if the compute instance is `Encrypted` or `Not Encrypted`.
+
+## Check if Disk Encryption is Enabled on a Cluster's Node Pools
+
+1. Log in to the [Cloud Manager](http://cloud.linode.com), click **Kubernetes** in the left menu, and select the cluster you wish to view. See [Manage Kubernetes Clusters](/docs/products/compute/kubernetes/guides/manage-clusters/).
+
+1. Scroll down to the **Node Pools** section. This lists all node pools for your cluster and their encryption status.
+
+    ![Screenshot of the Node Pools section of a cluster in the Cloud Manager with encryption](view-node-pools-encryption.jpg)
+
+{{< note >}}
+If a node pool is not encrypted and you want an encrypted node pool, delete the node pool and create a new node pool. New node pools are always encrypted.
+{{< /note >}}