Articles in this section

Data Encryption

Sara Levy
  • Updated
Follow

Encryption of Data at Rest

As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's disks (data 'at rest') to prevent access from unauthorized users.

When encryption is enabled, all data on the cluster is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates a random 256-bit master key at cluster initialization. The master key is unique to the cluster and is not used to encrypt any data. Each group of data blocks that is written to the cluster is encrypted with a pseudo-randomly selected one of 10,000 highly variable encryption keys, which are derived from the master key pseudo-randomly using an HMAC-based key derivation function with SHA-512. So, for example, if a cluster stores 50PB of data, typically no more than 5TB is encrypted with any given key.

Encryption is disabled by default. It can be enabled at cluster creation when installing a new cluster or on a running cluster. If encryption is enabled on a running cluster, after installation, a rewrite is automatically triggered. The rewrite process rewrites all data on the cluster with encryption, scrubs the drives from any old unencrypted data and restripes the data across the drives.

FIPS 140-2 Validation

VAST Cluster encryption of data at rest is implemented using the VAST Data FIPS Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.

Limitations

Note

  • External generation and management of keys is not supported.

  • Encryption keys cannot be replaced nor revoked.

Enabling Encryption at Cluster Installation

Caution

Enabling encryption is irreversible. Encryption cannot be disabled on a cluster.

Enabling Encryption During Cluster Creation via VAST Web UI

When you install the cluster using Easy Install, enable the Encryption optional setting at the General Settings stage.

Enabling Encryption During Cluster Creation via VAST CLI

When creating a new cluster using the cluster create CLI command, you must include the --enable-encryption option when you run the command.

For example:

vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption

Enabling Encryption After Installation

Caution

Enabling encryption is irreversible. Encryption cannot be disabled on a cluster.

Impact of Enablement on a Running Cluster

Enabling Encryption during cluster operation triggers a rewrite of all the data and name blocks to ensure that all pre-existing data and name blocks on the cluster are encrypted.

The following are important points to note about the rewrite:

  • All data is typically rewritten during this rewrite and therefore the impact on storage media endurance is approximately similar to that of deleting all data on the cluster and writing it.

  • The rewrite proceeds as a background task that cannot be paused or stopped. In case of severe performance degradation, it may be possible for VAST Support to throttle the process and reduce the performance impact.

  • The rewrite may take a while, and may impact performance for workloads.

  • If expansions are planned, they should be done prior to enabling encryption so that the rewrite will utilize as many DBoxes as possible and minimize RAID overhead.

  • A combined option is available for enabling DBox High Availability and encryption simultaneously (detailed in the procedures below). If DBox HA is not yet enabled on the cluster and you intend to enable DBox HA, you should choose the combined option to avoid triggering a rewrite twice, when you enable each feature.

  • DBox expansion is not available while the rewrite is in progress.

Enabling Encryption from the VAST Web UI

  1. In the VAST Web UI, open the Cluster tab of the Settings page. You can reach this by searching at the top left or from navigation menu on the left of the page.

  2. In the New Features section, click Enable Encryption or Enable Encryption and DBox HA if you also plan to enable DBox High Availability.

    A confirmation prompt is displayed:

    These changes require rewrite and cannot be undone. Rewrite may impact workloads while it is in progress. Stopping rewrite requires support intervention. DBox expansion will not be available during rewrite. Are you sure you want to proceed?

  3. Click Yes if you are sure you would like to proceed.

    The rewrite begins and a progress bar appears at the top right of the page, reporting the current phase of the rewrite as it progresses and the percentage progress.

    When the rewrite is complete, the now inactive Enable Encryption and Enable Encryption and DBox HA buttons, as well as the Enable DBox HA button if you chose to enable DBox HA as well as encryption, are all disabled. The tooltip for the info icon next to the buttons changes to report that DBox HA and/or encryption is/are enabled.

Enabling Encryption from the VAST CLI

  1. Run the cluster modify command with the --enable-encryption option, or, if you wish to enable DBox High Availability at the same time, run the command cluster modify --enable-encryption --enable-dbox-ha:

    Note

    Enabling both options at the same time reduces impact on drives and can reduce impact on workloads.

    For encryption without DBox HA:

    vcli: admin> cluster modify --enable-encryption

    For encryption with DBox HA:

    vcli: admin> cluster modify --enable-encryption --enable-dbox-ha

    You are warned:

    Enabling Encryption/DBox HA support triggers a required rewrite of current data. Are you sure you want to proceed? [y/N]

  2. Enter 'y' to confirm that you want to proceed.

    The rewrite begins.

  3. You can now monitor the progress of the rewrite. Enter the command cluster show. The command output includes the following fields:

    • Rewrite-phase. During the rewrite, one of the main phases appears here. The order of the phases is:

      1. INTERNAL_PRE_REWRITE

      2. DATA_REWRITE_PRE

      3. DATA_REWRITE_SCRUB

      4. DATA_REWRITE

      5. LAYOUT_REWRITE_PRE

      6. LAYOUT_REWRITE

      7. FINALIZE

    • Rewrite-progress. This shows the percentage progress of the current phase of the rewrite. When it reaches 100% of the final phase, the rewrite is complete.

      Encryption (and DBox HA capability if applicable) is now fully enabled.

Encryption of Data Over-the-Wire

Encryption of data over-the-wire is the encryption of data as it is transmitted over network connections to protect the data in transit from unauthorized access.

In a VAST Cluster deployment, data can be encrypted in transit between the client network and the cluster and on the internal cluster network.

Encryption of data between the client network and the cluster

Data is encrypted on the following connections:

  • Clients using the S3 protocol can connect with the cluster over HTTPS connection. The HTTPS connection is encrypted using the VAST Data FIPS 140-2 Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.

  • VMS traffic is encrypted using TLS.

  • Connection to an external LDAP server can be encrypted using TLS. This is an optional setting in the LDAP configuration.

Encryption of Data on the Internal Network

When encryption is enabled on the cluster, data transfer between the servers and switches in the VAST Cluster network is also encrypted with FIPS 140-2 validated encryption.

Related articles

Comments

0 comments

Article is closed for comments.