VAST Data Platform provides encryption at rest with full support for multi-tenant environments. Encryption is applied at the encryption group level, enabling secure tenant isolation and encryption path (view) isolation.
Encryption Models: IKM vs. EKM
Model | Description | CSP Consideration |
|---|---|---|
IKM (Internal Key Management) | Keys are generated and managed internally by VAST | Simple deployment, suitable for shared key for tenants or environments where tenants share the same encryption group. |
EKM (External Key Management) | Keys are managed by an external KMS (e.g., HashiCorp Vault Enterprise, Thales CipherTrust Data Security Platform) Full list of supported EKM solutions: | Enables external key control and compliance use cases; supports secure erase by revoking/deleting keys. |
Encryption is applied per encryption group (tenant or encryption path scope).
Data reduction (dedup+similarity) operates only within the same encryption group.
Using separate encryption groups per tenant improves isolation, but reduces cross-tenant data reduction efficiency.
Note: The ‘default’ tenant uses IKM-managed encryption without an external KMS dependency.
External Key Management (EKM)
EKM enables external control of encryption keys, in which the EKM manages the key lifecycle for a VAST cluster.
Single EKM configured per cluster (see roadmap below).
Connectivity to the EKM via the management network (see roadmap below).
EKM Setup and Management of keys is performed by Cluster Admin only.
Key Handling Model
VAST does not contact the EKM for every encrypt/decrypt operation
DEKs (Data Encryption Keys) are retrieved during lifecycle events, such as Service startup and Leader election/failover
DEKs are then used in-memory on the data path, where the correct key is selected using the key ID stored in the data header
The EKM must respond within ~5 seconds before timeout → operation fails
Reference: Enabling EKM encryption
Encryption Groups
Encryption groups are part of the cluster security boundary. To use encryption with an EKM for multiple tenants, an encryption group must be assigned at tenant creation or encryption path creation. Multiple tenants can share the same encryption group. The group cannot be changed after the tenant is created.
An encryption group defines the key (DEK) scope, which is assigned to data paths (tenant/views).
Encryption groups are managed only by Cluster Admin.
Use at least one encryption group per tenant for best isolation between tenants - required for supporting secure erase operations.
Encryption Group is assigned as part of the tenant creation, as shown in the figure below (Web UI):
.png?sv=2022-11-02&spr=https&st=2026-04-05T08%3A46%3A11Z&se=2026-04-05T08%3A59%3A11Z&sr=c&sp=r&sig=Ui0GL42n%2Fh6uGQNiBJ3V6m9YKTc9ejYCBbppmVBuwT4%3D)
Reference: Managing encryption groups and keys
Encrypted Paths
Encryption can be applied at the path/view level.
Each encrypted path is associated with a specific encryption group (DEK).
Encrypted paths can NOT be created/managed at the tenant level (Tenant Admin).
After the Cluster admin creates the encryption path for the tenant, the Tenant admin can create a view for the path, which is then associated with the path.
The path location and tenant association cannot be changed after creation.
The DEK for a group is created when Encryption path is created.
Creating encryption path:
Web UI: Element Store → Encryption Path → ‘Create Encryption Paths.’
.png?sv=2022-11-02&spr=https&st=2026-04-05T08%3A46%3A11Z&se=2026-04-05T08%3A59%3A11Z&sr=c&sp=r&sig=Ui0GL42n%2Fh6uGQNiBJ3V6m9YKTc9ejYCBbppmVBuwT4%3D)
API: encryptedpath create --name epath1 --path /epath1 --tenant-id 2
Reference: Managing encrypted paths
Enabling Encryption
New Cluster
Encryption is configured during cluster deployment.
The cluster is initialized with:
IKM (default), or
EKM (external KMS integration)
This determines how encryption groups obtain and manage keys.
Existing Cluster
Encryption can be enabled after installation.
Requires:
Configuring key management (IKM or EKM).
Creating encryption groups.
Assigning encrypted paths to those groups.
.png?sv=2022-11-02&spr=https&st=2026-04-05T08%3A46%3A11Z&se=2026-04-05T08%3A59%3A11Z&sr=c&sp=r&sig=Ui0GL42n%2Fh6uGQNiBJ3V6m9YKTc9ejYCBbppmVBuwT4%3D)
References:
Keys Management Operations
Note: Key management operations are restricted to the Cluster Admin - not available to tenant users.
Operation | Scope | Description | Web UI | CLI |
|---|---|---|---|---|
List Encryption Groups | Cluster | View existing encryption groups and keys | N/A (no direct UI view) | encrytiongroup list |
List Encrypted Paths | Cluster | View encrypted paths and associated encryption groups | Element Store → Encrypted Paths | encryptedpath list |
Deactivate Key | Tenant | Deactivates the encryption key; data written with the key cannot be accessed unless reinstated | Element Store → Tenants → Edit Tenant → Deactivate Key | tenant alter-encryption-group-state --id ID --state inactive |
Deactivate Key | Encrypted Path | Deactivates the key for the encrypted path; associated data cannot be accessed unless reinstated | Element Store → Encrypted Paths → Edit → Deactivate Key | encryptedpath deactivate-encryption-group-key --id ID |
Reinstate Key | Tenant | Reinstates a deactivated key and restores access to the data | Element Store → Tenants → Edit Tenant → Activate Key | encrytiongroup reinstate-encryption-group --id ID |
Reinstate Key | Encrypted Path | Reinstates the key for the encrypted path and restores access | Element Store → Encrypted Paths → Edit → Activate Key | encryptedpath reinstate-encryption-group-key --id ID |
Revoke Key (Secure Erase) | Tenant | Permanently deletes the key; data becomes unrecoverable | Element Store → Tenants → Edit Tenant → Revoke Key | encrytiongroup revoke-encryption-group --id ID |
Revoke Key (Secure Erase) | Encrypted Path | Permanently deletes the key for the path; data becomes unrecoverable | Element Store → Encrypted Paths → Edit → Revoke Key | encryptedpath revoke-encryption-group --id ID |
Rotate Key (Rekey) | Tenant | Rotates the key; new data is encrypted with a new key | Element Store → Tenants → Edit Tenant → Rotate Key | tenant rotate-encryption-group-key --id ID |
Rotate Key (Rekey) | Encrypted Path | Rotates the key for the encrypted path | Element Store → Encrypted Paths → Edit → Rotate Key | encryptedpath rotate-encryption-group-key --id ID |
Rotate Master Key | Cluster | Rotates the cluster-level master key protecting encryption keys | System → Security | cluster rotate-master-key |
Reference: Managing encryption groups and keys
Future Enhancements (Roadmap)
Support for multiple EKMs per cluster (per-tenant KMS).
Support for EKM connectivity via customer/data network.
Expected in VAST 5.6.x or later.