Data on VAST Cluster can be encrypted and decrypted transparently using 256-bit AES-XTS encryption.
Encryption at rest was first introduced in VAST Cluster 3.2. In the initial phase of this feature, the following limitations apply:
Encryption can be enabled only upon initial cluster creation, which is performed using the
cluster createCLI command or the UI installer as part of the installation process. Once the cluster is created as a VMS-managed entity, encryption cannot be enabled.
Encryption cannot be disabled.
External generation and management of keys is not supported.
Encryption keys cannot be replaced nor revoked.
If encryption is enabled, VAST Cluster generates a random 256-bit master key at cluster initialization. The master key is unique to the cluster and is not used to encrypt any data. Each group of data blocks that is written to the cluster is encrypted with a pseudo-randomly selected one of 10,000 highly variable encryption keys, which are derived from the master key pseudo-randomly using an HMAC-based key derivation function with SHA-512. So, for example, if a cluster stores 50PB of data, typically no more than 5TB is encrypted with any given key.
Encryption is disabled by default and can only be enabled at cluster creation when installing a new cluster running VAST Cluster 3.2 or later.
When creating a new cluster using the
cluster create CLI command, you must include the
--enable-encryption option when you run the command.
vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption
If you install the cluster using the VAST Web UI installer, include these steps to enable encryption: