Volume encryption protects data-at-rest against physical loss or theft of storage drives. It is important to recognize that while this feature adds an additional layer of security to your data, it cannot safeguard against all potential threats. For example, the following scenarios fall outside the scope of volume encryption's protection:

• Data-in-use or in-transit, including data temporarily stored in system memory
• Inadvertent or malicious data destruction
• Loss of an entire NAS system (only protected when using an external key vault)

Understanding these scenarios can help you make informed decisions regarding your data security strategies and determine how to implement additional security measures.

Before creating your initial encrypted volume, we strongly recommend you to enable and set up the Encryption Key Vault in advance. Doing so will facilitate a more seamless volume creation process.

If you have not completed this preliminary setup, you will still be guided to do it during the volume creation process. However, when using the volume creation wizard, the only available storage location for the key vault is the default Local option. Therefore, if you want to utilize an external key vault, you must set it up beforehand.

Prolonged use of a single key can expose you to security risks. Therefore, we recommend that you or your organization change both the volume encryption keys and the recovery keys on a regular basis. You can non-disruptively change both of these keys through the Storage Manager interface. Once the old keys are replaced, they become invalid and cannot be reused.

Make sure that you do not store recovery keys within encrypted volumes. Recovery keys are essential for accessing your data in case of a problem with the Encryption Key Vault. Therefore, it is vital that you keep your recovery keys in a separate location to ensure its security so you'll always be able to access your data.