Title
Create new category
Edit page index title
Edit category
Edit link
Enabling Cluster-Level Encryption
The cluster-encryption (encryption at rest) feature flag is optional and set to false by default. In order to use this feature, you will first need to enable the cluster-encryption feature flag. At this point, encryption is not yet fully functional and the cluster and all of the stored data is unencrypted. You will need to run the Enable Encryption API to activate the process.
The feature flag can be enabled or disabled. As long as you have not enabled the cluster-encryption, you can disable this feature flag. Once your cluster-encryption is enabled, you cannot disable the feature flag.
Enabling Feature Flag
The entries in the REST API documentation refer to generic feature flags only, and not to each one individually (i.e., /api/v2/featureFlags/{name}/enable).
CLI
xxxxxxxxxxlbcli enable feature-flag cluster-encryptionREST
xxxxxxxxxxPOST /api/v2/featureFlags/Cluster/Encryption/enableEnabling the Encryption API Definition
Cluster-level encryption can only be enabled on clusters that do not have data (volumes or snapshots). If you want to activate encryption on a cluster with volumes or snapshots, they should be deleted first.
Once encryption is enabled, the cluster will generate the required encryption keys. Before creating new volumes, validate that the cluster encryption state is enabled. This can be done using the lbcli get clusterinfo (2.2 and above) API.
There are two methods of storing the KEK securely in the cluster. Software encryption (this is the default keystore if no value is set in the API command), or encrypted by TPM 2.0. If TPM is not supported on all of the servers in the cluster, the enable encryption process will fail and the cluster will remain unencrypted.
Once cluster-level encryption with TPM is enabled, make sure that any servers added to the cluster have TPM 2.0 enabled. You will also need to make sure that if you have any other third-party software on the servers that use TPM, you do not perform any reset or clear commands. This could cause the cluster to lose access to the TPM, and to the encryption key and event in data loss.
If you are using encryption and TPM - when adding a new server to the cluster or replacing a server - you need to make sure the new server has TPM2.0 enabled before installation.
It is recommended to run the enable encryption API only when the cluster is stable and all nodes are active on the same Lightbits cluster version (e.g., all servers are on v 3.14). Below a certain threshold of inactive nodes, the enable encryption process will fail and will have to be triggered again. Running the enable encryption API in the middle of an upgrade process could cause unexpected behavior and is not supported.
Enabling the Encryption API
CLI
As this is an irreversible change, in the CLI you will be prompted to make sure that you want to enable encryption:
xxxxxxxxxxlbcli enable cluster-encryption --keyStore=fileOr
xxxxxxxxxxlbcli enable cluster-encryption --keyStore=tpm <keyStore> Kek store location (file or tpm)REST
xxxxxxxxxxPOST /api/v2/cluster/encryption/enableBody:"keyStore": “fileor"keyStore": “tpm© 2026 Lightbits Labs™