Local Disk Encryption

docs/products/compute/compute-instances/guides/_index.md

@@ -41,6 +41,7 @@ aliases: ['/products/compute/shared-linodes/guides/','/products/compute/shared-c
 - [Managing the Kernel](/docs/products/compute/compute-instances/guides/manage-the-kernel/)
 - [Copy a Disk Over SSH](/docs/products/compute/compute-instances/guides/copy-a-disk-image-over-ssh/)
 - [Copying a Disk to a Different Account](/docs/products/compute/compute-instances/guides/copy-a-disk-image-to-a-different-account/)
+- [Local Disk Encryption](/docs/products/compute/compute-instances/guides/local-disk-encryption/)
 
 ## Networking
 

docs/products/compute/compute-instances/guides/create/index.md

@@ -14,12 +14,13 @@ This guide walks you through creating a Compute Instance (also frequently called
 - [Choose a Distribution, App, or Image](#choose-a-distribution-app-or-image)
 - [Select a Region](#select-a-region)
 - [Choose an Instance Type and Plan](#choose-an-instance-type-and-plan)
-- [Set the Label and Add Tags](#set-the-label-and-add-tags)
+- [Set the Label, Add Tags, and Assign a Placement Group](#set-the-label-add-tags-and-assign-a-placement-group)
 - [Create a Password and Add SSH Keys](#create-a-password-and-add-ssh-keys)
-- [Assign to a VPC (Optional) {#assign-to-a-vpc}](#assign-to-a-vpc-optional-assign-to-a-vpc)
-- [Assign to a Cloud Firewall (Optional) {#assign-to-a-cloud-firewall}](#assign-to-a-cloud-firewall-optional-assign-to-a-cloud-firewall)
-- [Assign to a VLAN (Optional) {#assign-to-a-vlan}](#assign-to-a-vlan-optional-assign-to-a-vlan)
-- [Assign to a Placement Group (Optional) {#assign-to-a-placement-group}](#assign-to-a-placement-group-optional-assign-to-a-placement-group)
+- [Enable or Disable Disk Encryption](#enable-or-disable-disk-encryption)
+- [Assign to a VPC (Optional)](#assign-to-a-vpc-optional)
+- [Assign to a Cloud Firewall (Optional)](#assign-to-a-cloud-firewall)
+- [Assign to a VLAN (Optional)](#assign-to-a-vlan)
+- [Assign to a Placement Group (Optional)](#assign-to-a-placement-group)
 - [Configure Additional Options](#configure-additional-options)
 - [Add User Data](#add-user-data)
 - [Deploy the Instance](#deploy-the-instance)
@@ -77,14 +78,20 @@ You can resize to a different plan size or instance type at any time. This means
 
 {{% content "instance-comparison-shortguide" %}}
 
-## Set the Label and Add Tags
+## Set the Label, Add Tags, and Assign a Placement Group
 
-![Label selection in Cloud Manager](create-instance-label.png)
+![Label selection in Cloud Manager](create-label-tag-pg.jpg)
 
 - **Label:** The label is the name of the Compute Instance, allowing you to easily identify it from other instances. A good label should provide some indication as to what the instance is used for. As an example, a label of `acme-web-prod` may indicate that the instance is the production website for the company Acme. If you have already implemented your own naming conventions for your cloud infrastructure, follow those conventions. Labels must only use letters, numbers, underscores, dashes, and periods.
 
 - **Tags:** Adding tags gives you the ability to categorize your Linode services however you wish. If you're a web development agency, you could add a tag for each client you have. You could also add tags for which services are for development, staging, or production.
 
+- **Placement Groups:** (Optional) Add this Compute Instance to a Placement Group to manage its physical location in a data center ("region"). Placement Groups can be set up to group your compute instances close together to help with performance, or further apart to support high availability. Placement Groups are available at no additional cost, but they're not available in all regions. See [Work with Placement Groups](/docs/products/compute/compute-instances/guides/placement-groups/) to learn more.
+
+{{< note >}}
+If you don't have an existing Placement Group, you can click **Create Placement Group** to create a new one. This takes you to a separate interface, outside creating your compute instance. For ease of use, create your compute instances in a supported region, then later create a Placement Group and assign your compute instances to it.
+{{< /note >}}
+
 ## Create a Password and Add SSH Keys
 
 ![Enter root password in Cloud Manager](create-instance-password.png)
@@ -95,7 +102,19 @@ You can resize to a different plan size or instance type at any time. This means
 
 -   **SSH Keys:** Add any SSH Keys to the root user account on the server. This enables you to log in through SSH without needing a password. SSH keys are created as a pair: a *private key* stored on your local computer and a *public key* that you can upload to remote systems and services. Since you only share your public key and your private key is kept safe and secure, this is a much more secure method for authentication than passwords. Learn more about uploading SSH keys through the Cloud Manager on the [Manage SSH Keys](/docs/products/platform/accounts/guides/manage-ssh-keys/) guide.
 
-## Assign to a VPC (Optional) {#assign-to-a-vpc}
+## Enable or Disable Disk Encryption
+
+Consider enabling **Disk Encrypt** on this Compute Instance. The platform manages encryption and decryption for you. After a Compute Instance is created, use [Rebuild](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/#rebuilding) to change this setting.
+
+![Enable Disk Encryption](create-disk-encryption.jpg)
+
+{{< note >}}
+Disk Encryption is not currently available in all regions.
+{{< /note >}}
+
+More information is available from the [Local Disk Encryption](/docs/products/compute/compute-instances/guides/local-disk-encryption/) guide.
+
+## Assign to a VPC (Optional)
 
 ![Screenshot of the VPC assignment section](create-instance-vpc.jpg)
 
@@ -131,16 +150,6 @@ Add this Compute Instance to a secure private network. VLANs are available at no
 In most cases, it's recommended to use a VPC over a VLAN. VPCs operate on a higher network layer and come with more IP addressing and IP routing functionality. Additionally, you can further segment out network traffic through subnets, each of which has its own CIDR range. Review [these differences](/docs/products/networking/vpc/#difference-between-private-network-options-vpcs-vlans-and-private-ips) to learn more.
 {{< /note >}}
 
-## Assign to a Placement Group (Optional) {#assign-to-a-placement-group}
-
-![Creating a receiving Linode](create-instance-pg.png)
-
-Add this Compute Instance to a Placement Group to manage its physical location in a data center ("region"). Placement Groups can be set up to group your compute instances close together to help with performance, or further apart to support high availability. Placement Groups are available at no additional cost, but they're not available in all regions. See [Work with Placement Groups](/docs/products/compute/compute-instances/guides/placement-groups/) to learn more.
-
-{{< note >}}
-If you don't have an existing Placement Group, you can click **Create Placement Group** to create a new one. This takes you to a separate interface, outside creating your compute instance. For ease of use, create your compute instances in a supported region, then later create a Placement Group and assign your compute instances to it.
-{{< /note >}}
-
 ## Configure Additional Options
 
 The following features and services can be configured during the Compute Instance's creation or at any point after.

docs/products/compute/compute-instances/guides/local-disk-encryption/index.md

@@ -0,0 +1,70 @@
+---
+title: "Local Disk Encryption"
+description: Local disk encryption helps you to protect the information stored on your Linode's disk. This guide shows how to implement local disk encryption.
+keywords: ['local disk encryption','disk encryption', 'encryption','security']
+aliases: ['/guides/local-disk-encryption/']
+tags: ["security","encryption"]
+modified: 2024-07-01
+modified_by:
+  name: Akamai
+published: 2024-07-01
+title: Local Disk Encryption
+authors: ["Akamai"]
+---
+
+Local disk encryption ensures that your data stored on Compute Instances is secured. Disk encryption protects against unauthorized data access by keeping the data encrypted if the disk is ever removed from the datacenter, decommissioned, or disposed of. The platform manages the encryption and decryption for you.
+
+By default, disk encryption is enabled on all compute instances.
+
+## How Disk Encryption Works With Different Services and Features
+
+| Service or Feature| Disk Encryption Behavior |
+|------|-------|
+| [**Backups:**](/docs/products/storage/backups/) automatic full file-based snapshot of your disks taken during your preferred scheduled time slot while the compute instance is still running. |{{< note type="alert" >}}Backups are not encrypted even when they are taken from an encrypted disk.{{< /note >}} When a backup is restored, and if encryption is enabled, the data stored on the disk is encrypted again. |
+| [**Images:**](/docs/products/tools/images/) allows you to store custom disk images in the Cloud. These images can be preconfigured with the exact software and settings and can be deployed to new or existing compute instances. |{{< note type="alert" >}}Images are not encrypted even when they are taken from an encrypted disk. {{< /note >}}When an image is deployed, and if encryption is enabled, the data stored on the disk is encrypted again. |
+| [**Clone:**](/docs/products/compute/compute-instances/guides/clone-instance/) allows duplication of a compute instance to a new or existing instance.|<li>Data on encrypted disks remain encrypted.</li> <li>Data on unencrypted disks remain unencrypted.</li>|
+| [**Create:**](/docs/products/compute/compute-instances/guides/create/) Compute Instances equipped with a tailored set of resources designed to run any cloud-based workload. |Disk encryption is enabled by default if it's available in a region. You can change the disk encryption setting (**Encrypt Disk**) if the Compute Instance is not part of a LKE node pool. Disk encryption is always enabled on Distributed Compute Instances. <br>After a Compute Instance is created, changing the **Encrypt Disk** setting requires a Rebuild.</br> |
+| [**Migration:**](/docs/products/compute/compute-instances/guides/migrate-to-different-dc/) moves your compute instance to another data center. |During migration, a new disk is created on the destination host. Decrypted bits are copied over from the source to the destination. The new disk is encrypted if the destination host has disk encryption enabled. |
+| [**Rebuild:**](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/) start over with a fresh Linux distribution or use a backup. | You can change the **Encrypt Disk** setting by performing a Rebuild. During a Rebuild, the previous encryption setting is used unless it's changed.<br>The **Encrypt Disk** setting for Compute Instances attached to an LKE node pool can not be changed.</br>|
+| [**Rescue:**](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/) boot your compute instance into Rescue Mode to perform system recovery tasks and transfer data off the disks when you suspect a corrupt file system. | When a rescue image is deployed, and if encryption is enabled, the data stored on the disk is encrypted again.|
+| [**Resize:**](/docs/products/compute/compute-instances/guides/resize/) changing a compute instances plan to resize your instance. |<li>Data on encrypted disks remain encrypted.</li> <li>Data on unencrypted disks remain unencrypted.</li> |
+
+## Considerations
+
+- Disk encryption is currently not available in all regions. Select another region to use Disk Encryption or enable encryption when it does become available using [Rebuild](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/#rebuilding).
+
+- After a Compute Instance is created, changing the **Encrypt Disk** setting requires a [Rebuild](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/#rebuilding).
+
+- Distributed Compute Instances are encrypted automatically if this feature is supported in the region. The disk encryption setting can not be changed.
+
+- New LKE clusters are encrypted if disk encryption is supported in the region. This disk encryption setting can not be changed.
+
+- If the Compute Instance is part of a LKE node pool, you cannot change the disk encryption setting. If a node pool is not encrypted and you want an encrypted node pool, delete the node pool and create a new node pool. New node pools are always encrypted.
+
+- Encryption in general, can increase CPU overhead and decrease realized throughput.
+  - For performance-sensitive workloads on Compute Instances that are not part of an LKE node pool, you can opt-out of disk encryption or disable **Encrypt Disk** by performing a [Rebuild](/docs/products/compute/compute-instances/guides/rescue-and-rebuild/).
+  - For performance-sensitive workloads on Compute Instances that are part of a LKE node pool, you can create additional node pools to spread out the workloads if required.
+
+
+## Check if Disk Encryption is Enabled on a Compute Instance
+
+1.  Log into [Cloud Manager](https://cloud.linode.com) and click the **Linodes** link in the sidebar.
+
+1.  Click on a Compute Instance from the list to view more details.
+
+1.  Within the top *Summary* section, you can view if the compute instance is `Encrypted` or `Not Encrypted`.
+
+    ![Screenshot of the Compute Instances in the Cloud Manager with and without encryption](view-compute-instance-encrypt-setting.jpg)
+
+
+## Check if Disk Encryption is Enabled on a Cluster's Node Pools
+
+1. Log into [Cloud Manager](http://cloud.linode.com), click **Kubernetes** in the left menu, and select the cluster you wish to view.
+
+1. Scroll down to the **Node Pools** section. This lists all node pools for your cluster and their encryption status.
+
+    ![Screenshot of the Node Pools section of a cluster in the Cloud Manager with encryption](view-node-pools-encryption.jpg)
+
+{{< note >}}
+If a node pool is not encrypted and you want an encrypted node pool, [delete the node pool](/docs/products/compute/kubernetes/guides/manage-node-pools/#remove-a-node-pool) and [create a new node pool](https://deploy-preview-7026--nostalgic-ptolemy-b01ab8.netlify.app/docs/products/compute/kubernetes/guides/manage-node-pools/#add-a-node-pool). New node pools are always encrypted.
+{{< /note >}}

docs/products/compute/compute-instances/guides/rescue-and-rebuild/index.md

@@ -377,9 +377,9 @@ To use the Rebuild feature:
 
 1.  Click on the **more options ellipsis** next to the Compute Instance that will be rebuilt, and click on the Rebuild option to open the Rebuild form:
 
-    ![Cloud Manager Linodes page - rebuild option highlighted](cloud-manager-linodes-rebuild.png)
+    ![Cloud Manager Linodes page - rebuild option highlighted](rebuild-form.jpg)
 
-1.  Complete the Rebuild form. Select an image or StackScript to deploy and enter a root password. Optionally, select one or more SSH keys (if you have not added any SSH Keys via the Cloud Manager, this option does not appear).
+1.  Complete the Rebuild form. Select an image or StackScript to deploy and enter a root password. Optionally, select one or more SSH keys (if you have not added any SSH Keys via the Cloud Manager, this option does not appear). Enable or disable **Encrypt Disk**. The **Encrypt Disk** setting for Compute Instances attached to an LKE node pool can not be changed. For Distributed Compute Instances, the disk encryption setting is always enabled. For more information on this feature, see [Local Disk Encryption](/docs/products/compute/compute-instances/guides/local-disk-encryption/).
 
     {{% content "password-requirements-shortguide" %}}
 

docs/products/compute/kubernetes/get-started/index.md

@@ -59,7 +59,9 @@ Visit the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/inst
 
       - From the **Version** dropdown menu, select a Kubernetes version to deploy to your cluster.
 
-1.  In the **Add Node Pools** section, select the [hardware resources](/docs/products/compute/compute-instances/plans/choosing-a-plan/#compute-resources) for the Linode worker node(s) that make up your LKE cluster. To the right of each plan, select the plus `+` and minus `-` to add or remove a Linode to a node pool one at time.
+1. Define the setting for the Kubernetes Control Plane. Select Yes, to enable High Availability (HA) for Control Plane Components. To learn more, see [High Availability (HA) Control Plane](/docs/products/compute/kubernetes/guides/high-availability-control-plane/).
+
+1. In the **Add Node Pools** section, select the [hardware resources](/docs/products/compute/compute-instances/plans/choosing-a-plan/#compute-resources) for the Linode worker node(s) that make up your LKE cluster. To the right of each plan, select the plus `+` and minus `-` to add or remove a Linode to a node pool one at time.
 
 1.  Once you're satisfied with the number of nodes in a node pool, select **Add** to include it in your configuration. If you decide that you need more or fewer hardware resources after you deploy your cluster, you can always [edit your Node Pool](#edit-or-remove-existing-node-pools).
 

docs/products/compute/kubernetes/guides/manage-node-pools/index.md

@@ -11,12 +11,16 @@ This guide covers managing the node pools on your cluster, including adding and
 
 ## View Node Pools
 
-1. Log in to the [Cloud Manager](http://cloud.linode.com), click **Kubernetes** in the left menu, and select the cluster you wish to view. See [Manage Kubernetes Clusters](/docs/products/compute/kubernetes/guides/manage-clusters/).
+1. Log into [Cloud Manager](http://cloud.linode.com), click **Kubernetes** in the left menu, and select the cluster you wish to view. See [Manage Kubernetes Clusters](/docs/products/compute/kubernetes/guides/manage-clusters/).
 
-1. Scroll down to the **Node Pools** section. This lists all node pools for your cluster and their associated nodes.
+1. Scroll down to the **Node Pools** section. This lists all node pools for your cluster and their associated nodes. The Disk Encryption setting for the node pool is also displayed. See [Local Disk Encryption](/docs/products/compute/compute-instances/guides/local-disk-encryption/).
 
     ![Screenshot of the Node Pools section of a cluster in the Cloud Manager](view-node-pools.png)
 
+{{< note >}}
+If a node pool is not encrypted and you want an encrypted node pool, [delete the node pool](/docs/products/compute/kubernetes/guides/manage-node-pools/#remove-a-node-pool) and [create a new node pool](https://deploy-preview-7026--nostalgic-ptolemy-b01ab8.netlify.app/docs/products/compute/kubernetes/guides/manage-node-pools/#add-a-node-pool). New node pools are always encrypted.
+{{< /note >}}
+
 ## Add a Node Pool
 
 Additional node pools can be added to host different applications or services within the same Kubernetes cluster. Since each node pool can be assigned its own virtual machine (Compute Instance) plan, separating applications into node pools can boost efficiency and allow each application to only be assigned the resources it needs.