Overview of Encryption of Data at Rest

As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's storage media (data 'at rest') to protect data from unauthorized usage. 

When encryption is enabled, all data on each of the cluster's tenants is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates two random unique 256-bit keys at cluster initialization. Keys can be managed internally or they can be managed by external key manager (EKM). The keys are unique to the cluster with the internal key management option. 

With the EKM option, keys are unique per encryption group, which can be per cluster, per tenant, per group of tenants, or per encrypted path.

You can encrypt any new path with its own dedicated, individually manageable, encryption keys. This is done by creating the path as an encrypted path before creating a view that makes the path accessible to client access. A default key per tenant encrypts all other paths on the tenant. 

This feature supports the following EKM solutions:

Encryption is disabled by default on the cluster. Encryption can be enabled during cluster installation either with internal key management or with an EKM. After the cluster is installed, encryption can be enabled with internally managed keys and an EKM can be applied after encryption is enabled already with internally managed keys. 

Enabling encryption with internally managed keys on a running cluster triggers a rewrite. The rewrite process rewrites  all data on the cluster with encryption, scrubs the drives from any old unencrypted data and restripes the data across the drives.

VAST Cluster encryption of data at rest is FIPS 140-3 capable. 

The default tenant does not use keys created or stored within an EKM. To encrypt data within the default tenant with EKM-based keys, using encrypted paths is recommended.