Skip to content

Encryption at rest

Any volume — local or network — can be encrypted at rest, free of charge. Flip Encrypt at rest in the create flow (volume creation for network storage, the local-storage section when creating a pod). Encrypted volumes show an Encrypted badge on their card.

The volume’s contents are always stored encrypted on the physical disk, and the key is never kept on the host machine. That means:

  • Data on a lost, resold, or physically accessed disk is unreadable.
  • A powered-off or locked volume exposes nothing, even with the disk in hand.

Be precise about the boundary: this is at-rest protection for the volume’s disk footprint. While a pod is actively using the volume, the data is necessarily unlocked for that pod — encryption at rest is not a substitute for securing what runs inside your own pod.

SituationBehavior
Pod starts with the volume attachedUnlocked automatically for the pod’s lifetime
Pod stopsThe volume locks again
Connect (network volumes)Unlocked on demand for direct access
Idle after ConnectAn Auto-locks in MM:SS countdown runs in the Connect modal; the volume locks when it expires
Transfer in progressThe countdown pauses — active transfers are never cut off

If Connect fails to unlock (“Couldn’t prepare the connection”), your data is safe and untouched — it’s usually temporary; try again.

On-the-fly encryption adds roughly 3–5% overhead, so read/write throughput is slightly lower than an unencrypted volume. For most workloads this is unnoticeable; for maximum-throughput scratch space, weigh whether the data needs it.