Home > Storage > PowerMax and VMAX > Data Protection > Dell EMC PowerMax: End-to-End Efficient Encryption > Encrypting a volume
Efficient encryption from the host using Thales is set per volume. You can set encryption on a subset of volumes, and not all volumes are required to participate in end-to-end efficient encryption. Encryption on the back-end with D@RE encrypts all data, regardless if it set for efficient encryption or not.
You can encrypt a volume in two steps:
The encryption capable attribute identifies volumes that participate in encryption from the host and benefit from the PowerMax data reduction capabilities. You cannot add the attribute to an existing volume or remove it after a volume is created. A volume that is created with the encryption-capable attribute does not automatically encrypt the host data, and it must go through the encryption process. If a capable volume is to be encrypted, it must be guarded.
You can set a volume as encryption capable when creating a volume using one of the following methods:
After you create a volume, the volume properties reflect it as encryption-capable, as shown in the following two figures.
Guarding an encryption-capable volume activates encryption for all I/O to that volume from the host application. Guarding a capable volume encrypts all new data and does not encrypt any data that had previously been written to that volume.
Guarding a volume requires the following configuration:
For more information about guarding a volume, see the Thales Data Security Manager, DSM Administration Guide for DSM release and Thales VTE Agent Installation and configuration Guide for VTE release.
The following is an example of the process for guarding a volume.
Once the policy is set and the volume is guarded, DSM and PowerMax generate and share encryption keys (see Figure 1).
The volume properties from Unisphere and Solutions Enabler reflect the new encryption status.