Overview
As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's disks (data 'at rest') to prevent access from unauthorized users.
When encryption is enabled, all data on each of the cluster's tenants is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates a random 256-bit master key at cluster initialization. Keys can be managed internally or they can be managed by external key manager (EKM). This feature supports the Thales Group CipherTrust Data Security Platform, versions 2.1 and 2.4. The master key is unique to the cluster with the internal key management option. With the EKM option, the master key is unique per encryption group, which can be per cluster, per tenant or per group of tenants.
Encryption is disabled by default. It can be enabled at cluster creation when installing a new cluster. Encryption with internal management of encryption keys can also be enabled on a running cluster. If encryption is enabled on a running cluster, after installation, a rewrite is automatically triggered. The rewrite process rewrites all data on the cluster with encryption, scrubs the drives from any old unencrypted data and restripes the data across the drives.
FIPS 140-3 Validation
VAST Cluster encryption of data at rest is FIPS 140-3 compatible.
Limitations
Note
External generation of keys is not supported.
External management of keys is supported only if enabled at cluster installation.
Enabling Encryption at Cluster Installation
Enabling Encryption During Cluster Creation via VAST Web UI
Encryption can be enabled with the VAST Web UI Easy Install utility with internal key management. The EKM option can be enabled with the VAST CLI.
When you install the cluster using Easy Install, enable the Encryption optional setting at the General Settings stage.
Enabling Encryption During Cluster Creation via VAST CLI
Note
Cluster creation is part of the cluster installation procedure and must be done in conjunction with VAST Data engineers. It is usually done using the VAST Data Easy Install utility. Depending on the specifics of the deployment, a CLI command line may be used instead, with guidance. The details below relate only to the encryption parameters provided in such a command line.
When creating a new cluster using the cluster create CLI command, include the following command line options in the command line.
--enable-encryption. Enables encryption.--encryption-type INTERNAL|CIPHER_TRUST_KMIP. Specifies the type of key management:INTERNAL= internally managed keys.CIPHER_TRUST_KMIP= Keys stored on a Thales Group CipherTrust Data Security Platform.If
--encryption-typeisCIPHER_TRUST_KMIP:--ekm-servers EKM_ADDRESS1[:PORT1][,EKM_ADDRESS2[:PORT2][,EKM_ADDRESS3[:PORT3][,EKM_ADDRESS4[:PORT4]]]]. Specifies the IP addresses or DNS names and port numbers for up to four EKM servers. Valid port range: 1024 - 65535. Default: 5696.--ekm-certificate CERTIFICATE. Specifies the SSL certificate for the connection to the EKM servers. Enter the certificate content encapsulated in quotation marks (""). Include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines from the certificate file content.--ekm-private_key PRIVATE_KEY. Specifies the private key of the SSL certificate for connecting to the EKM servers. Enter the private key content encapsulated in quotation marks (""). Include the "-----BEGIN EC PRIVATE KEY-----" and "-----END EC PRIVATE KEY-----" lines from the private key file content.
This example enables encryption with internal key management:
vcli: admin> cluster create --cnode-ips 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 --dnode-ips 192.0.2.4,192.0.2.5 --name mycluster --psnt mycluster --enable-encryption --encryption-type INTERNAL [...]
Viewing Current Encryption Configuration
The VAST Web UI displays the current encryption configuration. To view this configuration on a running cluster:
From the left navigation menu, select Settings, Cluster and then KMIP.
The following fields, which are not editable, display the EKM configuration.
Encryption Type
Shows the type of encryption enabled on the cluster:
CIPHER_TRUST_KMIP. Encryption with keys managed externally on Thales Group CipherTrust Data Security Platform.
INTERNAL. Encryption with keys managed internally.
No encryption.
EKM Servers
The IP addresses and port numbers of the EKM servers, if Encryption Type is CIPHER_TRUST_KMIP.
Managing Encryption Groups and Keys
If encryption is enabled with EKM, an encryption group is required at tenant creation. Multiple tenants can optionally share the same encryption group. The group cannot be changed per tenant after tenant creation.
With the CIPHER_TRUST_KMIP EKM option, in which encryption keys are managed externally on Thales Group CipherTrust Data Security Platform, data is encrypted using a data encryption key per encryption group which is retrieved when needed from the EKM. VAST Cluster uses a different key, called the key encryption key, to retrieve the data encryption key for a given encryption group. VAST Cluster generates a master key per cluster. The cluster uses the master key to encrypt the data encryption keys when they are retrieved from the EKM and distributed from the cluster node that hosts the encryption service client to other nodes in the cluster.
You can manage encryption keys in the following ways:
Revoking and Reinstating Encryption Keys
Encryption keys can be revoked and reinstated per encryption group. When keys are revoked, the keys can no longer be used and data that was written with the revoked key can no longer be accessed (unless reinstated).
Revoking and Reinstating Key Encryption Keys from the VAST Web UI
To revoke or reinstate the key encryption key for an encyrption group:
From the left navigation menu, select Element Store and then Tenants.
Right click on a tenant that belongs to the encryption group and select either Revoke Encryption Group or Reinstate Encryption Group.
Click Yes to confirm the action.
Revoking and Reinstating Key Encryption Keys from the VAST CLI
To revoke or reinstate encryption keys from the VAST CLI, use the tenant alter-encryption-group-state command.
Rotating Key Encryption Keys
VAST Cluster supports the rotation of key encryption keys by the EKM. Rotating a key encryption key generates a new version of the key encryption key for a given encryption group. You can also manually rotate a key encryption key from the VAST Web UI or the VAST CLI.
Rotating Key Encryption Keys from the VAST Web UI
To rotate a key encryption key for an encyrption group:
From the left navigation menu, select Element Store and then Tenants.
Right click on a tenant that belongs to the encryption group and select Rotate Encryption Group.
Click Yes to confirm the action.
Rotating Key Encryption Keys from the VAST CLI
To rotate a key encryption key from the VAST CLI, use the tenant rotate-encryption-group-key command.
Rotating the Master Key
The master key should only be rotated from the cluster and not directly on the EKM.
Rotating the Master Key from the VAST Web UI
From the left navigation menu, select Settings, then Cluster and then KMIP.
Click the Rotate button and then click Yes to confirm the action.
Rotating the Master Key from the VAST CLI
You can rotate the master key using the tenant rotate-encryption-group-key VAST CLI command.
Managing Encryption Key Expiration
Important
VAST Cluster monitors encryption key expiration and issues a critical alarm one week, two days and one day before an encryption key expires on your CipherTrust key manager. In order to retain access to your encrypted data, it is essential to generate a new key version for the encryption group on CipherTrust before the existing key expires.
Enabling Encryption After Installation
Limitations
Enabling encryption on a running cluster (after installation) is supported with the following limitation:
It is only possible to enable encryption with internally managed keys. Encryption with externally managed keys can only be enabled at installation.
Impact of Enablement on a Running Cluster
Enabling Encryption during cluster operation triggers a rewrite of all the data and name blocks to ensure that all pre-existing data and name blocks on the cluster are encrypted.
The following are important points to note about the rewrite:
All data is typically rewritten during this rewrite and therefore the impact on storage media endurance is approximately similar to that of deleting all data on the cluster and writing it.
The rewrite proceeds as a background task that cannot be paused or stopped. In case of severe performance degradation, it may be possible for VAST Support to throttle the process and reduce the performance impact.
The rewrite may take a while, and may impact performance for workloads.
If expansions are planned, they should be done prior to enabling encryption so that the rewrite will utilize as many DBoxes as possible and minimize RAID overhead.
A combined option is available for enabling DBox High Availability and encryption simultaneously (detailed in the procedures below). If DBox HA is not yet enabled on the cluster and you intend to enable DBox HA, you should choose the combined option to avoid triggering a rewrite twice, when you enable each feature.
DBox expansion is not available while the rewrite is in progress.
Enabling Encryption from the VAST Web UI
In the VAST Web UI, open the Cluster tab of the Settings page. You can reach this by searching at the top left or from navigation menu on the left of the page.
In the New Features section, click Enable only Encryption or Enable Encryption and DBox HA if you also plan to enable DBox High Availability.
A confirmation prompt is displayed:
These changes require rewrite and cannot be undone. Rewrite may impact workloads while it is in progress. Stopping rewrite requires support intervention. DBox expansion will not be available during rewrite. Are you sure you want to proceed?
Click Yes if you are sure you would like to proceed.
The rewrite begins and a progress bar appears at the top right of the page, reporting the current phase of the rewrite as it progresses and the percentage progress.
When the rewrite is complete, the now inactive Enable only Encryption and Enable Encryption and DBox HA buttons, as well as the Enable only DBox HA button if you chose to enable DBox HA as well as encryption, are all disabled. The tooltip for the info icon next to the buttons changes to report that DBox HA and/or encryption is/are enabled.
Enabling Encryption from the VAST CLI
Run the cluster modify command with the
--enable-encryptionoption, or, if you wish to enable DBox High Availability at the same time, run the commandcluster modify --enable-encryption --enable-dbox-ha:Note
Enabling both options at the same time reduces impact on drives and can reduce impact on workloads.
For encryption without DBox HA:
vcli: admin> cluster modify --enable-encryption
For encryption with DBox HA:
vcli: admin> cluster modify --enable-encryption --enable-dbox-ha
You are warned:
Enabling Encryption/DBox HA support triggers a required rewrite of current data. Are you sure you want to proceed? [y/N]
Enter 'y' to confirm that you want to proceed.
The rewrite begins.
You can now monitor the progress of the rewrite. Enter the command
cluster show. The command output includes the following fields:Rewrite-phase. During the rewrite, one of the main phases appears here. The order of the phases is:INTERNAL_PRE_REWRITEDATA_REWRITE_PREDATA_REWRITE_SCRUBDATA_REWRITELAYOUT_REWRITE_PRELAYOUT_REWRITEFINALIZE
Rewrite-progress. This shows the percentage progress of the current phase of the rewrite. When it reaches 100% of the final phase, the rewrite is complete.Encryption (and DBox HA capability if applicable) is now fully enabled.