Description of problem: AWS clusters installed by the cluster have never had . Since bug 1734193 was fixed, we can ask the machine-API provider to provision workers with encrypted root volumes even for Machine(Set)s that use unencrypted AMIs [1]. Questions are: 1. Do we want encrypted root volumes on compute machines? We already encrypt root volumes for the bootstrap and control-plane machines (via copy-and-encrypted AMIs for those Terraform-provisioned machines). When this is just a question of setting a property in the compute MachineSets, I don't see why we wouldn't want encrypted compute machines. 2. If we do want encrypted compute machines, do we want to backport that to previous releases? I don't really care about this point. Folks who are installing new clusters are unlikely to stick to 4.1 for long after 4.2 is out. Folks who installed a 4.1 cluster and subsequently upgrade it will likely continue to upgrade through 4.2 (although you'd need some non-installer component if you wanted to get encrypted instances after an upgrade). Folks who installed a 4.1 cluster and who never upgrade it aren't going to get new cluster behavior however we provide it. I'm fine backporting the small fix to 4.1.z so new-cluster folks can benefit without having to wait for 4.2.0. But I'm also fine leaving the old branches alone. Thoughts? [1]: https://github.com/openshift/installer/pull/2160
This is an RFE, will track via JIRA if and when this is requested by PM.