As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's disks (data 'at rest') to prevent access from unauthorized users.
When encryption is enabled, all data on the cluster is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates a random 256-bit master key at cluster initialization. The master key is unique to the cluster and is not used to encrypt any data. Each group of data blocks that is written to the cluster is encrypted with a pseudo-randomly selected one of 10,000 highly variable encryption keys, which are derived from the master key pseudo-randomly using an HMAC-based key derivation function with SHA-512. So, for example, if a cluster stores 50PB of data, typically no more than 5TB is encrypted with any given key.
Encryption is disabled by default and can only be enabled at cluster creation when installing a new cluster.
VAST Cluster encryption of data at rest is implemented using the VAST Data FIPS Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.
Encryption can be enabled only upon initial cluster creation, which is performed using the CLI or the Easy Install utility as part of the cluster installation procedure. Once the cluster is created as a VMS-managed entity, encryption cannot be enabled.
External generation and management of keys is not supported.
Encryption keys cannot be replaced nor revoked.
Encryption can only be enabled on install.
When you install the cluster using Easy Install, enable the Encryption optional setting at the General Settings stage.
When creating a new cluster using the
cluster create CLI command, you must include the
--enable-encryption option when you run the command.
vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption