Encryption

BrickStor SP allows for both hardware and software encryption. Hardware encryption requires the use of the Self Encrypting Drives (SED). Additionally, software encryption can be used by creating encrypted datasets. In both cases, BrickStor SP manages encryption keys using a key manager.

Encryption and key management

BrickStor SP provides an internal key manager that generates and securely stores data encryption keys. The keys can be replicated to other BrickStor SP system(s) to provide one or more backup copies. The keys can also be exported/imported using a password protected file. Always be sure to keep one or more copies of the data encryption keys in a safe place. The data cannot be recovered should the original keys be lost. Internal key manager allows automatic key rotation on a configurable interval but for Self-Encrypting Drives (SED) only. When using this feature, be sure to configure at least one peer to replicate encryption keys for redundancy. BrickStor SP also supports using an external key manager such as Fornetix or Safenet. Other KMIP based solutions could also work but are not guaranteed.

Export encryption keys

To export all encryption keys on the system to a password protected file, follow the steps below:

  1. Navigate to the Encryption page.

  2. Click Export Encryption Keys, located at the top of the page.

  3. (Optional) Create and confirm a password for the encryption file. If not specified, be sure to record the autogenerated password after exporting.

  4. (Optional) Name the file.

  5. Click Export. Be sure to keep note of the password and location of this exported encryption key file.

Import encryption keys

To import encryption keys that have been previously exported on the BrickStor SP system, follow the steps below:

  1. Navigate to the Encryption page.

  2. Click Import Encryption Keys, located at the top of the page.

  3. Upload the .enc file that was previously exported.

  4. Enter the password for the .enc file that was created upon exporting.

  5. Click Import.

Encryption best practices

  • Regularly export the keys from the local key manager and save them in a safe controlled location off the BrickStor SP system. This should be done any time new encrypted datasets are created.

  • Enable key replication between system peers.

  • Periodically review the drive status report and the dataset encryption report.

  • Manually perform a rekey based on organizational polices for encryption key rotation.

  • Test recovery of files on the replication target to verify access to data during a non-critical time.

Contact RackTop support to enable the unenroll drives feature.

Configure key replication

Key sync allows for encryption keys to be replicated to a BrickStor SP system peer. Before Key Sync can be configured, the BrickStor SP systems must be configured as system peers in both directions. See configuring system peers for more information.

To have all encryption keys automatically replicated to the BrickStor SP system peer, follow the steps below:

  1. Navigate to the System Peers page.

  2. Click the action cog (Gear) next to the desired peer connection.

  3. Select Configure Key Sync on the dropdown menu.

  4. Select All keys (dataset, SED, etc.) for Encryption keys to sync.

  5. Choose the desired key backup policy.

  6. Click Configure.

Hardware encryption

BrickStor SP allows using FIPS 140-2/140-3 certified SEDs for increased security. SEDs use 256-bit hardware encryption to protect data at rest by self-locking on demand or when the disks are powered off. Utilizing the SED functionality requires an additional license. This license allows the user to configure, automate, and replicate keys as desired. It also allows for the disk to be crypto erased. BrickStor SP will unlock disks as needed upon powering on. DoD-compliant data sanitization of a disk can be done in seconds. This can be done by changing the encryption key for the drive, instantly scrambling all data on the disk.

Drive enrollment

Drive enrollment is required to setup SED encryption on the BrickStor SP. This process will assign a key encryption key (KEK) to a drive, used to unlock the SED. It will also configure the drive to auto lock when power is removed.

To enroll a provisioned drive, follow the steps below:

  1. Navigate to the Rack View page.

  2. Click on the desired drive.

  3. On the side panel, click SED Enroll.

  4. Click Yes on the dialog.

If a drive that is already a member of a pool is selected , it will enroll all drives that are a member of that pool.

Cryptographically erasing SEDs

Crypto erasing is a process which resets the SED drive’s encryption keys, instantly scrambling all data.

Crypto erased drives result in an unenrolled state, operating as a traditional disk without encrypting any data. To enable encryption, those drives must be enrolled again.

It is a good practice to always crypto erase drives when they are retired. This is also the case when the KEK for a particular drive is lost; a crypto erase is the only option to restore the drive to a usable state.

A drive cannot be crypto-erased if it is part of a pool. The pool must first be exported or destroyed.

To crypto erase a drive, follow the steps below:

  1. Navigate to the Rack View page.

  2. Click on the desired drive.

  3. On the side panel, click Crypto Erase.

  4. Click Yes on the dialog.

Software encryption

BrickStor SP allows using FIPS software encryption on the dataset level. Dataset encryption can only be enabled upon the creation of the dataset. Dataset encryption cannot be disabled; the data would need to be migrated to a new dataset with the encryption disabled. See Creating Datasets to learn more.