As required by many regulated industries, VAST Cluster features the ability to encrypt the data that is saved on the cluster's storage media (data 'at rest') to protect data from unauthorized usage.
When encryption is enabled, all data on each of the cluster's tenants is encrypted and decrypted transparently using 256-bit AES-XTS encryption. VAST Cluster generates two random unique 256-bit keys at cluster initialization. Keys can be managed internally or they can be managed by external key manager (EKM). The keys are unique to the cluster with the internal key management option.
With the EKM option, keys are unique per encryption group, which can be per cluster, per tenant or per group of tenants.
You can encrypt any new path with its own dedicated, individually manageable, encryption keys. This is done by creating the path as an encrypted path before creating a view that makes the path accessible to client access. A default key per tenant encrypts all other paths on the tenant.
This feature supports the following EKM solutions:
Thales Group CipherTrust Data Security Platform
Fortanix DSM
HashiCorp Vault Enterprise
Entrust KeyControl
Akeyless
Notice
Entrust KeyControl and Akeyless are supported from VAST Cluster 5.3.2.
Encryption is disabled by default. It can be enabled at cluster creation when installing a new cluster. Encryption with internal management of encryption keys can also be enabled on a running cluster. If encryption is enabled on a running cluster, after installation, a rewrite is automatically triggered. The rewrite process rewrites all data on the cluster with encryption, scrubs the drives from any old unencrypted data and restripes the data across the drives.
FIPS 140-3 Encryption
VAST Cluster encryption of data at rest is FIPS 140-3 capable.
Limitations
Note
External generation of keys is not supported.
External management of keys is supported only if enabled at cluster installation.