As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's disks (data 'at rest') to prevent access from unauthorized users.
When encryption is enabled, all data on each of the cluster's tenants is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates a random 256-bit master key at cluster initialization. Keys can be managed internally or they can be stored externally by an external key manager (EKM). The master key is unique to the cluster with the internal key management option. With the EKM option, the master key can be unique to the cluster, to the tenant or to a group of tenants.
Encryption is disabled by default. It can be enabled at cluster creation when installing a new cluster. Encryption with internal management of encryption keys can also be enabled on a running cluster. If encryption is enabled on a running cluster, after installation, a rewrite is automatically triggered. The rewrite process rewrites all data on the cluster with encryption, scrubs the drives from any old unencrypted data and restripes the data across the drives.
VAST Cluster encryption of data at rest is implemented using the VAST Data FIPS Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.
External generation of keys is not supported.
External management of keys is supported only if enabled at cluster installation.
Enabling encryption is irreversible. Encryption cannot be disabled on a cluster.
Encryption can only be enabled with the VAST Web UI (Easy Install) with internal key management. The EKM option can only be enabled with the VAST CLI.
When you install the cluster using Easy Install, enable the Encryption optional setting at the General Settings stage.
When creating a new cluster using the
cluster create CLI command, include the following command line options in the command line.
--enable-encryption. Enables encryption
--encryption-type INTERNAL|EXTERNAL_KEY_MANAGER. Specifies the type of key management: INTERNAL = internally managed keys. EXTERNAL_KEY_MANAGER = Keys stored on an External Key Manager (EKM)
--ekm-address EKM_ADDRESS. Provide the IP address or DNS name of the EKM as
--ekm-port PORT. Provide the port number for connections to the EKM.
This example enables encryption with internal key management:
vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption --encryption-type INTERNAL [...]
This example enables encryption with external key management:
vcli: admin> cluster create --name vast99-az --build release-4-6-0-917050 --cnode-ips 172.16.3.173,172.16.3.174,172.16.3.175,172.16.3.176 --dnode-ips 172.16.3.37,172.16.3.38 --defrag-threshold 85 --cnode-cores 14 --enable-encryption --encryption-type EXTERNAL_KEY_MANAGER --ekm-address 10.71.2.117 --ekm-port 5696
If encryption is enabled with EKM, an encryption group Cloud Resource Name (CRN) is required at tenant creation. The CRN is an identifier of an encryption group on the configured EKM. The CRN cannot be changed per tenant after tenant creation. Providing the same CRN for multiple tenants is supported.
Encryption keys can be revoked and reinstated per encryption group. When keys are revoked, the keys can no longer be used and data that was written with the revoked key can no longer be accessed (unless reinstated). To revoke or reinstate encryption keys, use the tenant alter-encryption-group-state VAST CLI command.
When enabling encryption after installation, external management of encryption keys is not supported.
Enabling Encryption during cluster operation triggers a rewrite of all the data and name blocks to ensure that all pre-existing data and name blocks on the cluster are encrypted.
The following are important points to note about the rewrite:
All data is typically rewritten during this rewrite and therefore the impact on storage media endurance is approximately similar to that of deleting all data on the cluster and writing it.
The rewrite proceeds as a background task that cannot be paused or stopped. In case of severe performance degradation, it may be possible for VAST Support to throttle the process and reduce the performance impact.
The rewrite may take a while, and may impact performance for workloads.
If expansions are planned, they should be done prior to enabling encryption so that the rewrite will utilize as many DBoxes as possible and minimize RAID overhead.
A combined option is available for enabling DBox High Availability and encryption simultaneously (detailed in the procedures below). If DBox HA is not yet enabled on the cluster and you intend to enable DBox HA, you should choose the combined option to avoid triggering a rewrite twice, when you enable each feature.
DBox expansion is not available while the rewrite is in progress.
In the VAST Web UI, open the Cluster tab of the Settings page. You can reach this by searching at the top left or from navigation menu on the left of the page.
In the New Features section, click Enable Encryption or Enable Encryption and DBox HA if you also plan to enable DBox High Availability.
A confirmation prompt is displayed:
These changes require rewrite and cannot be undone. Rewrite may impact workloads while it is in progress. Stopping rewrite requires support intervention. DBox expansion will not be available during rewrite. Are you sure you want to proceed?
Click Yes if you are sure you would like to proceed.
The rewrite begins and a progress bar appears at the top right of the page, reporting the current phase of the rewrite as it progresses and the percentage progress.
When the rewrite is complete, the now inactive Enable Encryption and Enable Encryption and DBox HA buttons, as well as the Enable DBox HA button if you chose to enable DBox HA as well as encryption, are all disabled. The tooltip for the info icon next to the buttons changes to report that DBox HA and/or encryption is/are enabled.
cluster modifycommand with the
--enable-encryptionoption, or, if you wish to enable DBox High Availability at the same time, run the command
cluster modify --enable-encryption --enable-dbox-ha:
Enabling both options at the same time reduces impact on drives and can reduce impact on workloads.
For encryption without DBox HA:
vcli: admin> cluster modify --enable-encryption
For encryption with DBox HA:
vcli: admin> cluster modify --enable-encryption --enable-dbox-ha
You are warned:
Enabling Encryption/DBox HA support triggers a required rewrite of current data. Are you sure you want to proceed? [y/N]
Enter 'y' to confirm that you want to proceed.
The rewrite begins.
You can now monitor the progress of the rewrite. Enter the command
cluster show. The command output includes the following fields:
Rewrite-phase. During the rewrite, one of the main phases appears here. The order of the phases is:
Rewrite-progress. This shows the percentage progress of the current phase of the rewrite. When it reaches 100% of the final phase, the rewrite is complete.
Encryption (and DBox HA capability if applicable) is now fully enabled.
Encryption of data over-the-wire is the encryption of data as it is transmitted over network connections to protect the data in transit from unauthorized access.
In a VAST Cluster deployment, data can be encrypted in transit between the client network and the cluster and on the internal cluster network.
Data is encrypted on the following connections:
Clients using the S3 protocol can connect with the cluster over HTTPS connection. The HTTPS connection is encrypted using the VAST Data FIPS 140-2 Object Module for OpenSSL, which is FIPS 140-2 validated. The NIST validation for the module can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4107.
The connection between replication peers is encrypted using the VAST Data FIPS 140-2 Object Module for OpenSSL when the peer configuration is in secure mode (optional). See Encrypting Replication with mTLS for details.
VMS traffic is encrypted using TLS.
Connection to an external LDAP server can be encrypted using TLS. This is an optional setting in the LDAP configuration.
When encryption is enabled on the cluster, data transfer between the servers and switches in the VAST Cluster network is also encrypted with FIPS 140-2 validated encryption.