Tintri Knowledge Base > 002 Knowledge Article Database > Tintri SecureVM FAQs

Tintri SecureVM FAQs

Table of contents

Applies To


Product(s): T8xx, T6xx

Product Version(s): 3.1 & above

Q & A

Q : Is enabling encryption a single button operation?
: If a valid license is available then yes you push a button to encrypt.


Q : Is the encryption key entered manually?

A : No the key is automatically generated when encryption is enabled.


Q : The key automatically rotates on a predetermined schedule, can the key also be manually rotated using the UI, PowerShell or a REST command?
A : There is no support of a predetermined schedule via the UI. The key can only be manually rotated using the UI. This can be automated/scheduled using the REST APIs or PowerShell. 

Q : Can encryption of a VMstore be disabled? 
A : No encryption can not be turned off. 


Q : Is the encryption key protected in the event of both controllers failing?

A : The key is divided into multiple small fragments that are spread across multiple drives, data will not be lost in the unlikely event of both controllers failing on an encryption enabled VMstore.  


Q : Is it possible to un-encrypt a VM after the VMstore has been encrypted?

A : Yes, there are different methods to achieve this:

  1. Storage vMotion to an unencrypted datastore
  2. Clone from a replicated snapshot on an unencrypted datastore
  3. Restore from backup


Q: Is there a performance penalty after enabling SecureVm?

A: No, as all SSDs and HDDs used on Tintri are self-encrypting drives the encryption is done in hardware and there is no performance penality.


Q : Is external key management support?

A : External key management is supported in Tintri OS v4.3 (and later).



Last modified



This page has no classifications.