Merge pull request #298349 from pjw711/pjw/encryption-at-rest

prmerger-automator[bot] · web-flow · commit cfa861b924d8 · 2025-04-22T08:33:51.000Z
Add description of encryption at rest support
diff --git a/articles/operator-nexus/concepts-security.md b/articles/operator-nexus/concepts-security.md
@@ -131,3 +131,9 @@ As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI
 The Operator Nexus Cluster Manager is an AKS implementation. The following image shows the Kube-Bench exceptions for the Cluster Manager. A full report of CIS Benchmark control evaluation for Azure Kubernetes Service (AKS) can be found [here](/azure/aks/cis-kubernetes)
 
 :::image type="content" source="media/security/nexus-cluster-manager-kubebench.png" alt-text="Screenshot of Cluster Manager Kube-Bench exceptions." lightbox="media/security/nexus-cluster-manager-kubebench.png":::
+
+## Encryption at rest
+
+Azure Operator Nexus provides persistent storage for virtualized and containerized workloads. Data is stored and encrypted at rest on the storage appliances in the Azure Operator Nexus aggregator rack. For more information, please see [the storage appliance reference documentation](/reference-near-edge-storage.md).
+
+Nexus Kubernetes clusters and Nexus virtual machines consume storage from a local disk. Data stored on local disks is encrypted using LUKS2 with the AES256 bit algorithm in XTS mode. All encryption keys are platform managed.
diff --git a/articles/operator-nexus/reference-near-edge-storage.md b/articles/operator-nexus/reference-near-edge-storage.md
@@ -35,6 +35,10 @@ An Azure Operator Nexus instance can have up to two storage appliances. The stor
 
 The Pure FlashArray contains a variety of data reduction features. The effective capacity of the storage appliance, which gives the amount of data that can be stored from the workload's perspective, is typically larger than the raw capacity. The effective capacity depends strongly on the data being stored. For example, pre-compressed or application-encrypted data achieves lower data reduction ratios on the storage appliance than data with high levels of duplication. Pure storage can model likely achievable data reduction ratios and effective capacity for a wide variety of workloads to help you choose a SKU with a suitable amount of storage capacity.
 
+### Encryption at rest
+
+All data stored on the Pure FlashArray is encrypted at rest using platform-managed storage server-side encryption. For more information, see [Pure's FlashArray Data Security Overview](https://support.purestorage.com/bundle/m_security_resources/page/repositories/production-branch/content/documents/Production/FlashArray/FlashArray_Security/FlashArray_Security_Guides_and_Manuals/topics/task/t_an_overview_of_flasharray_data_security.html) (sign in required).
+
 ## Storage connectivity
 
 This diagram shows the connectivity model followed by storage appliance in the near-edge offering.
