Encryption at Rest for Compute and Block Storage

Exoscale now transparently encrypts stored data for Compute and Block Storage workloads using AES-256 in XTS mode at the hypervisor layer. Combined with existing TLS-based encryption in transit, Exoscale now provides encryption by default for data at rest and in transit across the platform.

What’s new:

• Encryption at rest by default — all newly created Compute instances and Block Storage volumes are encrypted automatically.
• Unique encryption keys — each volume receives a unique encryption key managed by Exoscale.
• Encrypted snapshots — snapshots inherit the encryption of their parent volume.
• Protected templates and instance snapshots — instance snapshots and templates stored on Object Storage remain protected through bucket-level encryption.

What this means in practice:

• New workloads benefit from encryption everywhere by default across compute, storage, snapshots, templates, APIs, and network communication.
• Encryption happens automatically at the platform layer, without requiring changes to applications, operating systems, or operational workflows.
• Stored and transmitted data now follow a more consistent end-to-end protection model across Exoscale services.

Existing Compute instances remain unencrypted for the time being. In the near future, we will clearly communicate how to encrypt unencrypted instances.

Existing Block Storage volumes are not re-encrypted in place. To encrypt existing Block Storage data, create a new encrypted volume and copy the data across.

Explore how Encryption at Rest works on Exoscale.