As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's disks (data 'at rest') to prevent access from unauthorized users.
When encryption is enabled, all data on the cluster is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates a random 256-bit master key at cluster initialization. The master key is unique to the cluster and is not used to encrypt any data. Each group of data blocks that is written to the cluster is encrypted with a pseudo-randomly selected one of 10,000 highly variable encryption keys, which are derived from the master key pseudo-randomly using an HMAC-based key derivation function with SHA-512. So, for example, if a cluster stores 50PB of data, typically no more than 5TB is encrypted with any given key.
Encryption is disabled by default. It can be enabled at cluster creation when installing a new cluster or on a running cluster. If encryption is enabled on a running cluster, after installation, a rewrite is automatically triggered. The rewrite process rewrites all data on the cluster with encryption, scrubs the drives from any old unencrypted data and restripes the data across the drives.
VAST Cluster encryption of data at rest is implemented using the VAST Data FIPS Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.
External generation and management of keys is not supported.
Encryption keys cannot be replaced nor revoked.
Enabling encryption is irreversible. Encryption cannot be disabled on a cluster.
When you install the cluster using Easy Install, enable the Encryption optional setting at the General Settings stage.
When creating a new cluster using the
cluster create CLI command, you must include the
--enable-encryption option when you run the command.
vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption
Enabling Encryption during cluster operation triggers a rewrite of all the data and name blocks to ensure that all pre-existing data and name blocks on the cluster are encrypted.
The following are important points to note about the rewrite:
All data is typically rewritten during this rewrite and therefore the impact on storage media endurance is approximately similar to that of deleting all data on the cluster and writing it.
The rewrite proceeds as a background task that cannot be paused or stopped. In case of severe performance degradation, it may be possible for VAST Support to throttle the process and reduce the performance impact.
The rewrite may take a while, and may impact performance for workloads.
If expansions are planned, they should be done prior to enabling encryption so that the rewrite will utilize as many DBoxes as possible and minimize RAID overhead.
A combined option is available for enabling DBox High Availability and encryption simultaneously (detailed in the procedures below). If DBox HA is not yet enabled on the cluster and you intend to enable DBox HA, you should choose the combined option to avoid triggering a rewrite twice, when you enable each feature.
DBox expansion is not available while the rewrite is in progress.
In the VAST Web UI, open the Cluster tab of the Settings page. You can reach this by searching at the top left or from navigation menu on the left of the page.
In the New Features section, click Enable Encryption or Enable Encryption and DBox HA if you also plan to enable DBox High Availability.
A confirmation prompt is displayed:
These changes require rewrite and cannot be undone. Rewrite may impact workloads while it is in progress. Stopping rewrite requires support intervention. DBox expansion will not be available during rewrite. Are you sure you want to proceed?
Click Yes if you are sure you would like to proceed.
The rewrite begins and a progress bar appears at the top right of the page, reporting the current phase of the rewrite as it progresses and the percentage progress.
When the rewrite is complete, the now inactive Enable Encryption and Enable Encryption and DBox HA buttons, as well as the Enable DBox HA button if you chose to enable DBox HA as well as encryption, are all disabled. The tooltip for the info icon next to the buttons changes to report that DBox HA and/or encryption is/are enabled.
cluster modifycommand with the
--enable-encryptionoption, or, if you wish to enable DBox High Availability at the same time, run the command
cluster modify --enable-encryption --enable-dbox-ha:
Enabling both options at the same time reduces impact on drives and can reduce impact on workloads.
For encryption without DBox HA:
vcli: admin> cluster modify --enable-encryption
For encryption with DBox HA:
vcli: admin> cluster modify --enable-encryption --enable-dbox-ha
You are warned:
Enabling Encryption/DBox HA support triggers a required rewrite of current data. Are you sure you want to proceed? [y/N]
Enter 'y' to confirm that you want to proceed.
The rewrite begins.
You can now monitor the progress of the rewrite. Enter the command
cluster show. The command output includes the following fields:
Rewrite-phase. During the rewrite, one of the main phases appears here. The order of the phases is:
Rewrite-progress. This shows the percentage progress of the current phase of the rewrite. When it reaches 100% of the final phase, the rewrite is complete.
Encryption (and DBox HA capability if applicable) is now fully enabled.
Encryption of data over-the-wire is the encryption of data as it is transmitted over network connections to protect the data in transit from unauthorized access.
In a VAST Cluster deployment, data can be encrypted in transit between the client network and the cluster and on the internal cluster network.
Data is encrypted on the following connections:
Clients using the S3 protocol can connect with the cluster over HTTPS connection. The HTTPS connection is encrypted using the VAST Data FIPS 140-2 Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.
VMS traffic is encrypted using TLS.
Connection to an external LDAP server can be encrypted using TLS. This is an optional setting in the LDAP configuration.
When encryption is enabled on the cluster, data transfer between the servers and switches in the VAST Cluster network is also encrypted with FIPS 140-2 validated encryption.
Article is closed for comments.