Register

Protecting data across its lifecycle


Exoscale secures your data as it is stored and transmitted across systems. We use encryption to protect this data at every step, combining encryption at rest, encryption in transit, and secure key management

We provide encrypted Compute, Object Storage, and Block Storage services, applying encryption consistently across compute, storage, and network layers without requiring changes to your applications or workflows.

These features cover the full data lifecycle on Exoscale. Your data is protected both when it is stored on disk and when it moves between different services.

Encryption also depends on securely managing encryption keys. Exoscale Key Management Service (KMS) gives you direct control over encryption keys. Create keys, define rotation schedules, revoke access when required, and delete keys according to your policies. Key material is managed within Exoscale’s secure cryptographic boundary while you control key lifecycle operations.

Encryption and key management layers

Encryption at rest

Encryption at rest

Encryption at rest protects data stored on disks and storage systems. It is applied at the hypervisor layer using AES-256-XTS below the guest operating system, so encryption remains transparent to operating systems and applications.

Encryption in transit

Encryption in transit

Encryption in transit protects data as it moves between systems. It applies to API communication and service interactions across the network using standard transport protocols such as TLS.

Encryption key management

Encryption key management

Encryption keys are managed centrally through Exoscale KMS. The service handles key lifecycle operations such as generation, rotation, replication, and deletion while you control when and how keys are used. Learn how to create and manage keys in the KMS Quick Start.

What is encrypted on Exoscale

Resource Encryption KMS Supported Availability and notes
Compute root volumes At rest Supported Default for new instances. KMS support is coming soon.
Block Storage volumes At rest Supported Default for new volumes. Existing volumes are not re-encrypted. KMS support is coming soon.
Block Storage snapshots At rest Supported Inherited. Use the same key as the parent volume. KMS support is coming soon.
Object Storage (SOS) At rest Supported Default. SSE-SOS or SSE-C bucket-level encryption with Exoscale managed keys. KMS support is coming soon.
Instance snapshots and templates At rest Supported Encrypted. Stored on Object Storage with bucket-level encryption. KMS support is coming soon.
Network traffic In transit Not supported Default. All service endpoints use HTTPS with TLS-secured communication.
DBaaS At rest Not supported Default. Automated backups are encrypted at rest in Object Storage, and connections are TLS-encrypted.

Encryption everywhere by default


Encryption is applied consistently across compute, storage, snapshots, templates, APIs, and network communication layers. Combined with TLS-secured encryption in transit, Exoscale now provides a more complete end-to-end encryption baseline for workloads and stored data without requiring additional operational overhead. Exoscale Key Management Service (KMS) extends this protection model through centralized key management. You can create, rotate, disable, and delete your own encryption keys, and maintain a full audit trail of key usage.

Key benefits of encryption for storage and compute workloads

Where data encryption supports your workloads

Encryption helps establish a stronger protection baseline for your stored data, transmitted data, and regulated workloads across Exoscale compute, storage, and network services.

Application and database data


Applications and databases rely on persistent storage to manage transactions, user data, and operational state. Encryption helps protect this data while it remains stored on volumes and disks.

AI and data processing workloads


AI and inference workloads often process large datasets and generated outputs. Encryption helps protect sensitive data throughout processing and storage workflows.

Compliance and regulated workloads


Regulated workloads under GDPR, ISO 27001, SOC 2, or industry-specific frameworks require verifiable encryption and auditable key management. Exoscale KMS provides a full audit trail of key usage, configurable rotation schedules, and the ability to revoke access on demand. These controls help you demonstrate how encryption keys are managed and governed.

Backup and recovery data


Backups often contain full copies of systems, configurations, and historical records. Encryption at rest helps ensure backup data remains protected while stored.

How encryption is implemented

Hypervisor-level encryption

Hypervisor-level encryption

Data encryption is performed at the hypervisor layer, below the guest operating system. No agents or additional configuration are required within the instance.

Strong encryption standard

Strong encryption standard

Volume data is encrypted using AES-256 in XTS mode, which is widely used for securing storage systems.

Unique keys per volume

Unique keys per volume

Each volume is assigned a unique encryption key that is generated at creation time, helping keep data isolated and independently protected across volumes.

Transparent operation

Transparent operation

Encryption and decryption are handled automatically by the platform. Applications and operating systems interact with standard block devices.

Frequently asked questions about encryption

What does encryption everywhere mean on Exoscale?

Encryption is applied across multiple layers of the Exoscale platform, including stored data, snapshots, templates, APIs, and network communication. Encryption at rest and encryption in transit together cover the full data lifecycle: data stored on disk and data moving between services.

What is the difference between encryption at rest and encryption in transit?

Encryption at rest protects data after it has been written to storage. Encryption in transit protects data while it moves between systems, over encrypted connections using TLS. Both protect different stages of the data lifecycle and together cover the full path data takes across Exoscale services.

Are all new resources encrypted by default?

All new Compute instances, Block Storage volumes, and Object Storage buckets are encrypted at rest by default. Encryption is applied automatically at creation time with no additional configuration required. Learn more about Compute and Block Storage encryption and Object Storage encryption.

How does data encryption work with snapshots?

Snapshots inherit the encryption of their parent volume and remain encrypted throughout their lifecycle. When a snapshot is promoted to a new volume, the new volume uses the same encryption key as the source snapshot.

What is Exoscale KMS?

Exoscale KMS is a Key Management Service that lets you create and control your own encryption keys. It follows the CYOK (Control Your Own Key) model: Exoscale secures key material within its infrastructure, and you control lifecycle operations such as creating, rotating, disabling, deleting, and replicating keys across zones. A full audit trail records which key was used and when. Exoscale KMS is available now as a standalone service. Integration with Compute, Block Storage, and Object Storage is coming soon. Once integrated, customer-managed keys will wrap the encryption keys of volumes and buckets, giving you direct control over how encryption keys protecting your data are managed and used. Pricing is a flat monthly rate per key. Operations and rotations carry no additional charges.

How are encryption keys managed?

Exoscale generates and manages a unique encryption key for each volume automatically. These platform-managed keys are handled entirely within Exoscale’s secure infrastructure.

Exoscale KMS is available now as a standalone service if you want to create and control your own encryption keys. KMS integration with Compute, Block Storage, and Object Storage is coming soon. Once integrated, customer-managed keys from KMS will wrap and control the encryption keys of volumes and buckets directly.

The model is called CYOK (Control Your Own Key): You control key lifecycle operations while Exoscale protects and operates the underlying cryptographic infrastructure.

How long do encryption keys exist?

Encryption keys protecting volumes and buckets exist for as long as the associated resource exists. When a volume is deleted, its encryption key is permanently destroyed and can no longer be used to access the data.

KMS keys follow a separate lifecycle. Platform-managed KMS keys remain available and are managed by Exoscale. Customer-managed KMS keys remain available until customers schedule them for deletion. Deletion follows a mandatory waiting period to help prevent accidental and irreversible data loss.

What is an External Key Store?

An External Key Store (XKS) lets you store encryption keys entirely outside the cloud provider’s infrastructure, in your own Hardware Security Module (HSM) or external key vault. The cloud provider proxies cryptographic operations without ever receiving or storing the key material itself. This model is called HYOK (Hold Your Own Key). It provides the highest level of key isolation available: the provider does not store the key material and cannot perform decryption without access to the external key system. XKS is coming soon to Exoscale. If you require HYOK today, you can evaluate Exoscale KMS as an interim step, gaining control over key lifecycle management while XKS support is finalized.