From 604be01b613b85b9d56ccc1809d2954dd0b7bb51 Mon Sep 17 00:00:00 2001
From: Hitoshi Mitake <h.mitake@gmail.com>
Date: Mon, 15 Jun 2020 00:29:32 +0900
Subject: [PATCH] Documentation: note on data encryption

---
 Documentation/op-guide/security.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Documentation/op-guide/security.md b/Documentation/op-guide/security.md
index 4ac68736b95..c4cb883e9a9 100644
--- a/Documentation/op-guide/security.md
+++ b/Documentation/op-guide/security.md
@@ -426,8 +426,14 @@ Make sure to sign the certificates with a Subject Name the member's public IP ad
 
 The certificate needs to be signed for the member's FQDN in its Subject Name, use Subject Alternative Names (short IP SANs) to add the IP address. The `etcd-ca` tool provides `--domain=` option for its `new-cert` command, and openssl can make [it][alt-name] too.
 
+### Does etcd encrypt data stored on disk drives?
+No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to encrypt data stored on etcd, there are some options:
+* Let client applications encrypt and decrypt the data
+* Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]
+
 [cfssl]: https://github.com/cloudflare/cfssl
 [tls-setup]: ../../hack/tls-setup
 [tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md
 [alt-name]: http://wiki.cacert.org/FAQ/subjectAltName
 [auth]: authentication.md
+[dm-crypt]: https://en.wikipedia.org/wiki/Dm-crypt