Manish Chacko

Data At Rest Encryption

So, what is encryption and why might an organization care? Let’s start with the basics-encryption is defined as the process of encoding or encrypting a data in such a manner that only designated authorized people can access it. Organizations that need encryption to protect sensitive data include Federal, State & Local governments, healthcare, financial and any industry with strict regulatory compliance needs like GDPR for instance. Basically, if somebody removes your disk and tries to access the data, they will be unable to do so since only you have the key to unlock the encryption. I am excited to discuss this DataCore SANsymphony encryption feature that provides an extra layer of security. Turning this feature on comes at a trivial cost (1 to 3 % CPU with no impact to RAM). There are also no configuration changes needed by the end user-manual or otherwise.

Let’s start with the underlying technology of the encryption feature implemented in the SANsymphony software. We are using the latest Cryptographic API: Next Generation developed by Microsoft® and utilize the AES-XTS algorithm with 256-Bit strength (to provide context, the US Govt uses 128 bit for SECRET and 256 Bit for TOP SECRET information) fully supported. Windows Server® 2016 and higher versions have added kernel mode support for the Microsoft CNG library and so are a requirement to enable this feature.

To take advantage of this new feature, customers can create new virtual disks or “vDisks” where data will be encrypted at rest. Encryption is only available to data at rest i.e. on your storage medium; and not for data in-flight. The encryption process is completely transparent to application hosts, which means they can continue to consume storage as if nothing has changed. Customers can also have a “mixed” pool with both encrypted and non-encrypted disks. To enable encryption for a vdisk, click the encryption check box when creating a vdisk, as seen below. This feature is typically used when you do not have self-encrypting drives and need to safeguard the data on the disk.

Once the encrypted vdisk is created, it cannot be reverted to unencrypted and vice-versa. However, as mentioned above, you can have a “hybrid pool” where you can have a mixture of encrypted and unencrypted vDisks. This software-based encryption is universal in that it works with all storage types. The local Windows key store is used for cryptographic keys manipulation and storage. The encryption is performed at the lower level of thin provisioned pools managed by SANsymphony. Think of this concept as self-encrypting pools akin to the self-encrypting disks concept you might be familiar with. It is a best practice to backup your encrypted data just like you do so with your unencrypted data sets.

In conclusion, encryption is a valuable feature to customers and organizations looking to safeguard their data or data of their customers. This enables them to provide an additional value-added service while meeting industry or governmental regulations simultaneously.

Get a Live Demo

Talk with a solution advisor about how DataCore SDS can make your storage infrastructure modern, performant, and flexible.

Request Live Demo

Related Posts
 
Augie Gonzalez
Diverse Storage Systems – Putting Their Differences to Good Use
IT practitioners are taught since infancy the benefits of standardizing hardware. The “homogeneous doctrine” promises that sticking with one manufacturer and one model will make…
 
Robert Bassett
How to Train Your Storage Dragon
Wait … what? I know that sounds off-the-wall, but its fun to see the similarities in the story arcs. In the movie, the plot evolves…
 
Michel Portelli
Achieving our 9th 5-Star Partner Program Rating
CRN®, a brand of The Channel Company, announced on April 1st that it has given DataCore Software a 5-Star rating in its 2019 Partner Program…