As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's disks (data 'at rest') to prevent access from unauthorized users.
When encryption is enabled, all data on the cluster is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates a random 256-bit master key at cluster initialization. The master key is unique to the cluster and is not used to encrypt any data. Each group of data blocks that is written to the cluster is encrypted with a pseudo-randomly selected one of 10,000 highly variable encryption keys, which are derived from the master key pseudo-randomly using an HMAC-based key derivation function with SHA-512. So, for example, if a cluster stores 50PB of data, typically no more than 5TB is encrypted with any given key.
Encryption is disabled by default and can only be enabled at cluster creation when installing a new cluster.
VAST Cluster encryption of data at rest is implemented using the VAST Data FIPS Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.
Encryption can be enabled only upon initial cluster creation, which is performed using the CLI or the Easy Install utility as part of the cluster installation procedure. Once the cluster is created as a VMS-managed entity, encryption cannot be enabled.
External generation and management of keys is not supported.
Encryption keys cannot be replaced nor revoked.
Encryption can only be enabled on install.
When you install the cluster using Easy Install, enable the Encryption optional setting at the General Settings stage.
When creating a new cluster using the
cluster create CLI command, you must include the
--enable-encryption option when you run the command.
vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption
Encryption of data over-the-wire is the encryption of data as it is transmitted over network connections to protect the data in transit from unauthorized access.
In a VAST Cluster deployment, data can be encrypted in transit between the client network and the cluster and on the internal cluster network.
Data is encrypted on the following connections:
Clients using the S3 protocol can connect with the cluster over HTTPS connection. The HTTPS connection is encrypted using the VAST Data FIPS 140-2 Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.
VMS traffic is encrypted using TLS.
Connection to an external LDAP server can be encrypted using TLS. This is an optional setting in the LDAP configuration.
When encryption is enabled on the cluster, data transfer between the servers and switches in the VAST Cluster network is also encrypted with FIPS 140-2 validated encryption.