Let’s start with the basics—encryption is defined as the process of encoding or encrypting a data in such a manner that only designated authorized people can access it. Organizations that need encryption to protect sensitive data include Federal, State & Local governments, healthcare, financial and any industry with strict regulatory compliance needs like GDPR for instance. Basically, if somebody removes your disk and tries to access the data, they will be unable to do so since only you have the key to unlock the encryption.
I am excited to discuss this DataCore SANsymphony encryption feature that provides an extra layer of security. Turning this feature on comes at a trivial cost (1 to 3 % CPU with no impact to RAM). There are also no configuration changes needed by the end user—manual or otherwise.
Let’s start with the underlying technology of the encryption feature implemented in the SANsymphony software. We are using the latest Cryptographic API: Next Generation developed by Microsoft® and utilize the AES-XTS algorithm with 256-Bit strength (to provide context, the US Govt uses 128 bit for SECRET and 256 Bit for TOP SECRET information) fully supported. Windows Server® 2016 and higher versions have added kernel mode support for the Microsoft CNG library and so are a requirement to enable this feature.
To take advantage of this new feature, customers can create new virtual disks, or “vDisks,” where data will be encrypted at rest. Encryption is only available to data at rest i.e. on your storage medium; and not for data in-flight. The encryption process is completely transparent to application hosts, which means they can continue to consume storage as if nothing has changed. Customers can also have a “mixed” pool with both encrypted and non-encrypted disks. To enable encryption for a vDisk, click the encryption check box when creating a vDisk, as seen below. This feature is typically used when you do not have self-encrypting drives and need to safeguard the data on the disk.
Once the encrypted vDisk is created, it cannot be reverted to unencrypted and vice-versa. However, as mentioned above, you can have a “hybrid pool” where you can have a mixture of encrypted and unencrypted vDisks. This software-based encryption is universal in that it works with all storage types. The local Windows key store is used for cryptographic keys manipulation and storage. The encryption is performed at the lower level of thin provisioned pools managed by SANsymphony. Think of this concept as self-encrypting pools akin to the self-encrypting disks concept you might be familiar with. It is a best practice to backup your encrypted data just like you do so with your unencrypted data sets.
In conclusion, encryption is a valuable feature to customers and organizations looking to safeguard their data or data of their customers. This enables them to provide an additional value-added service while meeting industry or governmental regulations simultaneously.
To learn more about DataCore’s data-at-rest encryption, read the white paper or visit the encryption data services page.