Hi
I am sure that this has been done before, but not exactly been able to out if this is possible.
We currently a fairly large 3-node cluster on PVE with PVE-managed Ceph for the storage.
Due to NIS2 and other local regulations we are being forced into having "encryption at rest" for all virtual machines and while having encrypted drives for each VM where the VM disk is encrypted, it only works if our deployment team remembers to enable it during provisioning and then there is again the case of having to enter the decryption key on startup as we are not a large corporation with the need to insane amounts of automation.
So we figured that the best approach would be to simply take the OSD out one at a time, wipe it and created a new encrypted OSD for the same physical drive.
But can we mix encrypted and unencrypted OSD on the same nodes in the same pool?
I am sure that this has been done before, but not exactly been able to out if this is possible.
We currently a fairly large 3-node cluster on PVE with PVE-managed Ceph for the storage.
Due to NIS2 and other local regulations we are being forced into having "encryption at rest" for all virtual machines and while having encrypted drives for each VM where the VM disk is encrypted, it only works if our deployment team remembers to enable it during provisioning and then there is again the case of having to enter the decryption key on startup as we are not a large corporation with the need to insane amounts of automation.
So we figured that the best approach would be to simply take the OSD out one at a time, wipe it and created a new encrypted OSD for the same physical drive.
But can we mix encrypted and unencrypted OSD on the same nodes in the same pool?