Flash Storage​

 View Only

How to Enable Data at Rest Encryption (D@RE) in VSP One Block 20 Series from VSP One Block Administrator

By Prasenjit Chatterjee posted 30 days ago

  

Introduction

The data-at-rest encryption feature, called Encryption License Key, protects your sensitive data against breaches associated with storage media, such as loss or theft. The Encryption License Key feature provides controller-based encryption, along with the following benefits:

 

  • ·        Hardware-based Advanced Encryption Standard (AES) encryption using 256-bit keys in XTS mode of operation, is provided.
  • ·        Encryption can be applied to some or all supported internal drives.
  • ·        Each encrypted internal drive is protected with a unique Data Encryption Key (DEK).
  • ·        Encryption has negligible effects on I/O throughput and latency. 

This blog shows how to enable encryption at the parity group level while creating a pool for storing new data by using Virtual Storage Platform One Block (VSP One Block) Administrator.

Prerequisites

Before enabling Data at Rest Encryption in VSP One Block 20, ensure that you have the following:

  • ·        An encryption license key
  • ·        A REST API Client to run PFREST queries
  • Note: VSP One Block 20 supports CPU-based encryption; therefore, no dedicated hardware, such as Encryption DKB, is required.

Workflow

Enabling Data at Rest Encryption in VSP One Block 20 includes the following high-level steps:

1.     Preparing the encryption environment.

2.   Enabling the encryption environment settings.

3.     Backing up the encryption keys.

4.     Enabling encryption at the parity group level while creating a pool from VSP One Block Administrator.

Preparing the Encryption Environment

1. From VSP One Block Administrator, verify the existing encryption environment settings as follows:

The Encryption Environmental Settings page opens and shows the existing Encryption settings.

 

2. Besides GUI, encryption settings can also be checked via API (PFREST) command. To verify the existing encryption settings, run the following API (PFREST) command:

curl -k  -H "Accept:application/json" -H "Content-Type:application/json" -u <user_id>:<password>  -X GET https://<service_IP>/ConfigurationManager/v1/objects/encryption-settings/instance

The output shows that encryption is disabled in the storage system.

Enabling the Encryption Environment Settings

1. Enable encryption settings using the following API (PFREST) query: 

curl -k  -H “Accept:application/json” -H “Content-Type:application/json” -u <user_id>:<password>  -X PATCH –data-binary @./EnableEncrypt.json https://<service_IP>/ConfigurationManager/v1/objects/encryption-settings/instance

//Content of the EnableEncrypt.json file

{

      "isEnabled": true

}

// Status of the above job

 An Encryption Key is generated for each drive if encryption is enabled successfully.

2. From VSP One Block Administrator, retrieve the encryption key information.

 

The following screenshot shows that a total of 24 encryption keys were generated and assigned to 24 drives because the storage system has 24 drives.    

         

Backing up the Encryption Keys

Back up all encryption keys by using the following API (PFREST) query:

 

curl -v -k -H "Accept:application/octet-stream" -H "Content-Type:application/json" -u <user_id>:<password>  -X POST --data-binary @./EncryptPasswd.json      https://<service_ip>/ConfigurationManager/v1/objects/encryption-keys/file/actions/backup/invoke -o "backupfile.ekf"

//Content of the EncryptPasswd.json file

 

{

    "parameters": {

        "password": "DEncp@ssword"……..Note: Minimum password length must be 12.

    }

}

Note: The password used during the backup must be used during key restoration as well.

 

The following screenshot shows that the encryption keys were backed up in the backup file backupfile.ekf:

Enabling Encryption at the Parity Group level while creating a Pool from VSP One Block Administrator

From VSP One Block Administrator, create a pool by enabling Encryption.

The Pool with Encryption is created successfully:

Note: VSP One Block Administrator creates a parity group and allows you to enable or disable encryption settings based on your input. Therefore, while creating a pool, enable or disable encryption as required.

Conclusion

Data At Rest Encryption is one of the vital features for storage system data security. This blog showed the end-to-end process for enabling encryption from VSP One Block Administrator.

1 comment
22 views

Permalink

Comments

28 days ago

Very Useful information.