Security Measures Necessary to Protect Data When Disk Drives Leave Your Control

Data-at-Rest Encryption

Download White Paper


The threat alert from bad actors eager to steal confidential data seems constantly elevated. While headlines shine a spotlight on hackers breaking into live systems, another less publicized vulnerability needs equal attention. Disk drives falling into unintended hands during seemingly routine maintenance and disposal. Some examples include:

  • Disks sent for repair
  • Returned under warranty
  • Lease expires
  • EOL (end of life)
  • Discarded following a failure
  • Retired
  • Sold
  • Repurposed
  • Stolen drives

Data-at-rest encryption provides the single best way to thwart would-be data thieves when your disk drives land in their possession. In the ensuing sections you’ll learn how DataCore employs advanced cryptographic algorithms as a vital component of your information security shield.

Scrambling the Bits on Disk

Unlike in-flight encryption, where bits are scrambled as they travel over networks, data-at-rest encryption occurs as data gets stored on disk -which happens to be where data spends most of the time.

In years past this had been accomplished on intelligent shared storage arrays that have encryption built in, albeit at a higher cost, or through deliberate installation of self-encrypted drives inside your servers. DataCore offers a far more appealing alternative. Use simpler, lower cost hardware and encrypt them all using an in-band software layer – an intrinsic function of the DataCore™ Software-defined storage (SDS) solution. Encryption is just one of several invaluable data services available from the scalable platform.


Device-Independent Infrastructure-Wide Functions:

storage virtualization

  1. Encryption
  2. Synchronous replication
  3. Asynchronous replication
  4. Continuous Data Protection (CDP)
  5. Snapshots and others

Eliminate Hardware Dependencies, Drive Down Costs, Increase Selection

Encrypting data at the SDS layer affords several benefits by removing hardware dependencies. Now you can employ diverse models and brands of disks in your virtual storage pools under uniform security policies and procedures. You are free to choose from the wide selection of storage devices regularly appearing in the market, no longer limited to the few capable of embedded security. Nor do you have to spend more on the hardware to cover the added cost of encryption. Instead, storage devices become interchangeable. Use the assets already in place – no need for special upgrades or separately-priced options.

When it’s time to expand capacity or replace existing gear, shop around from competing suppliers for the most attractive new offerings.

Strong 256-Bit Advanced Block-Level Encryption

DataCore employs XTS-AES 256 bit cryptographic encoding recognized globally as a proven deterrent against decryption by even the best-equipped adversaries. The process also ensures that different disk blocks with identical data are encrypted differently.

Several editions of the DataCore product offer the encryption service on nodes running Windows Server 2016. The software calls Microsoft’s Cryptography API: Next Generation (CNG) for performance-optimized encoding and decoding using built-in AES NI instruction sets in the base server platform. Although an unauthorized person or program may find a way to read the bits on an encrypted virtual disk, they cannot do anything useful with the jumbled contents without the secure encryption/decryption keys needed to unveil the plain text.

Note: The Windows Server 2016 requirement is only for the instance of the operating system where the DataCore software encryption code runs. The client (host) consumer of encrypted virtual disks may be running previous versions of Window Server, Linux, HP-UX, AIX and Solaris host. Again, they only see the unencrypted images.

Key Management

XTS-AES scrambles the data using secure keys composed of unique, unpredictable random strings of bits. The keys are also used when unscrambling the data. DataCore software generates these keys automatically and saves them securely in a vault on the local SDS node. No separate key management system is necessary.

From the node’s administrative command prompt, use the DcsPoolKeyCli command to retrieve keys associated with specific storage pools.

You must make a copy of the secure keys and keep them in a separate safe location as a backup should the local node copy of the key be destroyed or inaccessible.

Without the keys, the virtual disks cannot be deciphered and their contents will be useless.

No Change to Applications, File Systems, Databases or Backups

Any application or individual accessing the encrypted virtual disks through the DataCore software services will see unencrypted data as they would with an unencrypted virtual disk. There is no need for recoding or recompiling programs. They need not be aware of the underlying encoding and deciphering.

Collection of Best Practices

Data-at-rest measures do not prevent hackers from penetrating the software environment. For this reason additional steps must be taken to prevent unauthorized individuals and malware from gaining privileged access to the servers and applications.

A comprehensive data security strategy requires that data-at-rest encryption be combined with other security Best Current Practices (BCPs) to be effective against broader threats, especially when complying with specific regulatory standards such as PCI-SS (Payment Card Industry Security Standard), HIPAA and FIPS 140 in financial, healthcare and government industries.

Responsible IT organizations must keep up with the latest countermeasures, reduce the attack surfaces and close vulnerabilities that are being exposed on a frequent basis. The Storage Networking Industry Association (SNIA) is a good source of guidance.

“As with any security project, acquiring technology is not the only step to properly protecting your data. Part of this process should include an evaluation of the current processes and security controls in place, such as physical access controls, environmental controls, and administrative controls. While there is no single set of requirements that applies to all organizations, this Guide can provide some baseline considerations.”

– SNIA Storage Security Industry Forum

Don’t Rely on Spinning Drives Being Sanitized

You may be considering wiping your hard disk drives clean before they are passed on to someone else. Possibly overwriting them. As the SNIA guide points out, these processes are far from “foolproof.” The more reliable methods like degaussing tend to be done at other locations, so the chance for attack exists while the drive is in transit.

Data Replication and Backups – Take Additional Precautions

Although the virtual disk is encrypted at-rest on the physical media, its data is unencrypted before being sent anywhere. That’s true whether the destination is an application, another DataCore node, or another internal process within the same node.

With this in mind, additional precautions should be exercised against eavesdroppers when replicating data remotely or making backup copies. Typically, DataCore customers employ network-embedded encryption in cross-campus or remote replication connections.

The better 3rd party backup software packages give you the choice of network data encryption as well as encrypting the backup copies stored on disk or tape.

Virtual Disk Granularity

Encryption is performed at the virtual disk level. You have the option to encrypt virtual disks when they are first created. The action can be initiated from the graphical user interface (GUI) or programmatically through either RESTful API calls or PowerShell Cmdlets. Simply select the Encrypted parameter in the Set Virtual Disk Properties panel during the creation. Such ease of use encourages widespread adherence. The software draws on previously zeroed and encrypted chunks of free space to begin the process.

Performance Considerations

Clearly the process of encoding the data before writing to disk and decoding it before presenting it to the client takes some finite time. Measurements of representative production environments reveal that the performance degradation attributed to the added security averages below 5%. Well worth the tradeoff.

Note: Cache reads from the DataCore node’s memory do not incur any encryption overhead. That data is in-flight and maintained unencrypted as the applications or users expect to see it.

Deduplication Impact

One of the curious byproducts of encryption is how it impacts downstream de-duplication. Since every block written to disk looks different from every other one, blocks that would have been duplicates in plain text no longer appear identical. This prevents downstream deduplication processes either in the DataCore nodes or on external storage arrays from detecting matching plain text patterns. Consequently, no data reduction can occur and the capacity savings you anticipated by keeping a single image of duplicate data does not materialize.

Exceptions to Encryption

There are a few cases where DataCore does not support encryption.

  • Models of the SDS software that explicitly omit encryption, such as the ST Edition
  • DataCore nodes running Windows Server earlier than 2016 that lack the kernel mode encryption
  • Pass-through disks (such as those used during migrations of external storage arrays) where the data must remain on the media as originally formatted
  • Shared multi-port array (SMPA) configurations
  • Unencrypted virtual disks

Note: Unencrypted virtual disks cannot be encrypted in place. Nor can encrypted virtual disks be unencrypted in place. Both actions require data migration to a new virtual disk for added safeguards. In the first case, DataCore recommends creating a new, encrypted virtual disk and copying the unencrypted data to it. Then pointing the application to the newly encrypted version. You’d follow a similar procedure for unencrypting.


The heightened urgency for the safekeeping of sensitive information requires extraordinary measures from IT, but they need not be so painful or expensive. Data-at-rest encryption from DataCore SDS products provides a convenient and generalized method for guarding confidential data on your disk drives anytime they are out of your control.

By implementing the strong cryptographic encoding at the storage virtualization layer, you can apply it universally across different models and brands of storage devices already in use as well as those in your immediate future. Yet, applications, file systems and databases remain unchanged. Taken together with complementary in-flight encryption and perimeter defenses puts you in a much better position to keep bad guys away.