About data store encryption
Encrypting the data store significantly limits the exposure of sensitive data in the event an appliance is compromised by loss, theft, or a security violation. The secure data is difficult for a third party to retrieve. Before you encrypt the data store, you must unlock the secure vault. The secure vault stores the encryption key.
Encrypting the data store and enabling TLS optimization provides maximum security.
Data store synchronization traffic is not encrypted.
Encrypting the data store can have performance implications; generally, higher security means less performance. Several encryption strengths are available to provide the right amount of security while maintaining the desired performance level. When selecting an encryption type, you must evaluate the network structure, the type of data that travels over it, and how much of a performance trade-off is worth the extra security.
Downgrade limitations
Appliances can use encrypted data stores created within the same major software version, but not those created in a future major version. For example, an encrypted data store created in 8.0.2 works with 8.0.3, but not with 8.5.
Before downgrading to an earlier version, you must select none as the encryption type, clear the data store, and restart the service. After you clear the data store, the data is removed from persistent storage and can’t be recovered.
If you return to a previous software version and there’s a mismatch with the encrypted data store, the status bar indicates that the data store is corrupt. You can either use the backup software version after clearing the data store and rebooting the service, or return to the software version in use when the data store was encrypted, and continue using it.