DigitalOcean

Product Security Hardening Guides for Volumes

Table of Contents

  1. Ensure the File System is Encrypted

Ensure the File System is Encrypted

DigitalOcean Volumes are scalable, SSD-based block storage devices. Volumes allow you to create and expand your infrastructure’s storage capacity without needing to resize your Droplets.

Volumes are encrypted at rest, which means that the data on a Volume is not readable outside of its storage cluster. When you attach a Volume to a Droplet, the Droplet is presented with a decrypted block storage device and all data is transmitted over isolated networks.

For additional security, you can also create a file system in a LUKS encrypted disk on your Volume. This means that the disk will need to be decrypted by the operating system on your Droplet in order to read any data.

Rational

Encrypting the file system of your Volume Block Storage is important for several reasons:

  • Data Protection: Encryption ensures that data is protected from unauthorized access, both during storage and transit.
  • Security Compliance: It helps meet regulatory and compliance requirements that mandate data encryption.
  • Mitigation of Data Breaches: In the event of a security breach, encrypted data remains inaccessible without the encryption keys.
  • Confidentiality: Sensitive information remains confidential, ensuring privacy and trust.

Impact

This process is destructive to any data on the Volume. Be sure to either start with a new Volume or back up your data before reformatting an existing Volume.

Encryption and decryption processes can introduce latency, impacting read/write speeds and overall system performance.

Good practices for preventing data loss are:

  • Always back up your data before encrypting or modifying any partition.
  • If you’re new to encryption, test on a non-critical partition or virtual disk first.
  • Double-check commands before executing them to avoid accidental data loss.

Audit Procedure

Use the following script to check if the disk is encrypted.

  1. cryptsetup status secure-volume

Expected output for an inactive device will look similar to this:

  1. /dev/mapper/secure-volume is inactive

Expected output for an active device will look similar to this

  1. /dev/mapper/secure-volume is active and is in use.

  2. type: LUKS2

  3. cipher: aes-xts-plain64

  4. keysize: 512 bits

  5. key location: keyring

  6. device: /dev/sda

  7. sector size: 512

  8. offset: 32768 sectors

  9. size: 209682432 sectors

  10. mode: read/write

Remediation Procedure

  1. Install cryptsetup
    1. Debian/Ubuntu
  1. apt-get install cryptsetup



  1. sudo apt install cryptsetup
  1. CentOS
  1. yum install cryptsetup
  1. Fedora
  1. dnf install cryptsetup
  1. Follow the steps in How to Create an Encrypted File System on a DigitalOcean Block Storage Volume guide.

Default Value

By default, DigitalOcean Volumes are encrypted when they are not attached to a Droplet.

Back to the top

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.