Encryption

BrickStor SP allows both hardware and software encryption. Hardware encryption requires use of the Self Encrypting Drives (SED) and software encryption can be additionally used by creating encrypted datasets. In both cases BrickStor SP manages encryption keys using a key manager.

Encryption and key management

BrickStor SP provides an internal key manager that generates and securely stores data encryption keys. The keys can be replicated to other BrickStor SP system(s) to provide one or more backup copies. The keys can also be exported/imported using a password protected file. Always be sure to keep one or more copies of the data encryption keys in safe place. The data cannot be recovered should the original keys are lost. Internal key manager allows automatic key rotation on a configurable interval but for Self-Encrypting Drives (SED) only. When using this feature be sure to configure at least one peer to replicate encryption keys for redundancy. BrickStor SP also supports using an external key manager such as Fornetix or Safenet. Other KMIP based solution could also work but are not guaranteed.

Export encryption keys

To export all encryption keys on the system to a password protected file, follow the steps below:

  1. Navigate to the Encryption page.

  2. Click Export Encryption Keys, located at the top of the page. This will open the Export Encryption Keys dialog.

  3. (Optional) Create and confirm a password for the encryption file. If not specified, be sure to record the autogenerated password after exporting.

  4. (Optional) Name the file.

  5. Click Export. Be sure to keep note of the password and location of this exported encryption key file.

Import encryption keys

To import encryption keys that have been previously exported on a BrickStor SP system, follow the steps below:

  1. Navigate to the Encryption page.

  2. Click Import Encryption Keys, located at the top of the page. This will open the Import Encryption Keys dialog.

  3. Upload the .enc file that was previously exported.

  4. Enter the password for the .enc file that was created upon exporting.

  5. Click Import.

Encryption Best Practices

  • Regularly export the keys from the local key manager and save them in a safe controlled location off the BrickStor SP system. In an HA cluster export and import the keys from both nodes to the other node and then export the keys from one node for backup. This should be done any time new encrypted datasets are created.

  • Import dataset keys to remote systems that are replication targets for fast recovery.

  • Periodically review the drive status report and the dataset encryption report.

  • Manually perform a rekey based on organizational polices for encryption key rotation.

  • Test recovery of files on the replication target to verify access to data during a non-critical time.

Contact RackTop support to enable the unenroll drives feature.

Hardware encryption

BrickStor SP allows using TCG FIPS 140-2/140-3 certified SEDs for increased security. SEDs use 256-bit hardware encryption to protect data at rest by self-locking on demand or when the disks are powered off. Utilizing the SED functionality requires an additional license. This license allows the user to configure, automate, and replicate keys as desired. It also allows for the crypto erase of a disk. BrickStor SP will unlock disks as needed at power-up. DoD-compliant data sanitization of a disk can be done in seconds. This can be done by changing the encryption key for the drive, instantly scrambling all data on the disk. Using SEDs without the proper license will cause disks to operate as standard drives which allows any computer to read/write to the disk.

The hardware encryption requires a TCG license to cover the amount of managed SED drives.

Drive Enrollment

Drive enrollment is required to setup SED encryption on the BrickStor SP. This process will assign a key encryption key (KEK) to a drive, used to unlock the SED. It will also configure the drive to auto lock when power is removed.

To enroll a provisioned drive, follow the steps below:

  1. Navigate to the Rack View page.

  2. Click on the desired drive.

  3. On the side panel, click SED Enroll. This will cause the SED Enroll dialog to appear.

  4. Click Yes.

If a drive that is already a member of a pool is selected , it will enroll all drives that are a member of that pool.

Cryptographically Erasing SEDs

Crypto erasing is a process which resets the SED drives encryption keys instantly scrambling all data.

Crypto erased drives result in unenrolled state operating as a tradition disk without encrypting any data. To enable encryption, those drives must be enrolled again.

It is a good practice to always crypto erase drives when they are retired. This is also the case when the KEK for a particular drive is lost; a crypto erase is the only option to restore the drive to a usable state.

A drive cannot be crypto-erased if it is part of a pool. The pool must first be exported or destroyed.

To crypto erase a drive, follow the steps below:

  1. Navigate to the Rack View page.

  2. Click on the desired drive.

  3. On the side panel, click Crypto Erase. This will cause the Crypto Erase dialog to appear.

  4. Click Yes.

Software encryption

BrickStor SP allows using FIPS software encryption on the dataset level. Dataset encryption can only be enabled upon the creation of the dataset. Dataset encryption cannot be disabled; the data would need to be migrated to a new dataset with the encryption disabled. To create an encrypted dataset see Creating Datasets to learn more.