Articles in this section

Encryption at Data at Rest

Sara Levy
  • Updated
Follow

As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's disks (data 'at rest') to prevent access from unauthorized users.

When encryption is enabled, all data on the cluster is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates a random 256-bit master key at cluster initialization. The master key is unique to the cluster and is not used to encrypt any data. Each group of data blocks that is written to the cluster is encrypted with a pseudo-randomly selected one of 10,000 highly variable encryption keys, which are derived from the master key pseudo-randomly using an HMAC-based key derivation function with SHA-512. So, for example, if a cluster stores 50PB of data, typically no more than 5TB is encrypted with any given key.

Encryption is disabled by default and can only be enabled at cluster creation when installing a new cluster.

FIPS 140-2 Validation

VAST Cluster encryption of data at rest is implemented using the VAST Data FIPS Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.

Limitations

Note

  • Encryption can be enabled only upon initial cluster creation, which is performed using the CLI or the Easy Install utility as part of the cluster installation procedure. Once the cluster is created as a VMS-managed entity, encryption cannot be enabled.

  • External generation and management of keys is not supported.

  • Encryption keys cannot be replaced nor revoked.

Enabling Encryption of Data at Rest

Important

Encryption can only be enabled on install.

Enabling Encryption During Cluster Creation via VAST Web UI

When you install the cluster using Easy Install, enable the Encryption optional setting at the General Settings stage.

Enabling Encryption During Cluster Creation via VAST CLI

When creating a new cluster using the cluster create CLI command, you must include the --enable-encryption option when you run the command.

For example:

vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption

Disabling Encryption of Data at Rest

You can disable encryption of data at rest. However, you will not be able to reenable it.

To disable encryption of data at rest, run the cluster modify command with the --disable-encryption option.

For example:

vcli: admin> cluster modify --disable-encryption

Related articles

Comments

0 comments

Article is closed for comments.