How can an Implementation Engineer confirm for the customer that data-at-rest encryption is enabled on a newly installed FlashArray?
Correct Answer: D
A frequent question Implementation Engineers receive from security-conscious customers after a new installation is how to verify that data-at-rest encryption is active. Unlike legacy storage arrays where encryption requires a separate software license, specialized self-encrypting drives (SEDs), or complex CLI toggles, Pure Storage FlashArray handles encryption natively and transparently.
There are no commands like puresecurity status or purearray encryption list in the Purity CLI because data-at- rest encryption is an always-on, non-configurable architectural feature . It cannot be turned off by an administrator, support engineer, or malicious actor.
Purity secures data at rest using AES-256 bit encryption (FIPS 140-2 certified). The array uses three dependent layers of internal keys (an Array Key, an SSD Key, and a Data Encryption Key) that are automatically generated, partitioned, and spread across the DirectFlash Modules. Because this process operates continuously in the background without user intervention, the standard and officially documented response for an Implementation Engineer is to explain the always-on nature of the architecture and provide the customer with the official Pure Storage FlashArray Data Security and Compliance whitepaper to satisfy their compliance auditors. (Note: Option C mentions RDL or Rapid Data Locking, which is an external KMIP key management feature, not the base data-at-rest encryption itself).