About the data-at-rest encryption features
The VSP G series and VSP F series storage systems provide data at-rest encryption that protects your sensitive data against breaches associated with storage media (for example, loss or theft). These features, known as Encryption License Key and FMD Encryption License Key (VSP F1500 and VSP G1500 only), include hardware-based encryption implementations as well as integrated key management functionality that can also leverage third-party key management solutions via the OASIS Key Management Interoperability Protocol (KMIP).
The data-at-rest encryption features provide the following benefits:
- Hardware-based Advanced Encryption Standard (AES) encryption, using 256-bit keys in the XTS mode of operation, is provided for open and mainframe systems.
- Encryption can be applied to some or all supported internal drives (HDD, SSD, FMD).
- Each encrypted internal drive is protected with a unique data encryption key.
- Encryption has negligible effects on I/O throughput or latency.
- Encryption requires little to no disruption of existing applications and infrastructure.
- Cryptographic erasure (media sanitization) of data is performed when an internal encrypted drive is removed from the storage system.
Encryption License Key
In Encryption License Key, the encryption back-end director (EBED) encrypts data by using the data encryption key allocated for each drive and then writes the data to the drive. When encrypted data is read, the EBED decrypts the data. To use Encryption License Key, the software license key and EBEDs are required.
FMD Encryption License Key
In FMD Encryption License Key, the FMD-HDE drives generate and retain the media encryption keys and encrypt and decrypt the data. The media encryption keys used by the FMD-HDE drives are encrypted internally, and they cannot be viewed or output. After successful certification using a certification key, data can be written to and read from these drives. To use FMD Encryption License Key, the software license key and FMD-HDE drives* are required.
The FMD Encryption License Key feature enables you to encrypt the data in accelerated compression-enabled parity groups. The following table shows the combinations of encryption and accelerated compression that are supported.
|
Drive type |
Accelerated compression |
Encryption License Key |
FMD Encryption License Key |
|
FMD DC2 FMD HD |
Enabled |
Not recommended* |
Not supported |
|
Disabled |
Supported |
Not supported | |
|
FMD-HDE |
Enabled |
Not supported |
Supported |
|
Disabled |
Not supported |
Supported | |
| * If you are planning to enable controller-based encryption (Encryption License Key) on a parity group that consists of FMD DC2 or FMD HD drives, you should not enable accelerated compression on that parity. If you want to enable controller-based encryption on a parity group of FMD DC2 or FMD HD drives for which accelerated compression is already enabled, you must disable accelerated compression before the parity group can be encrypted. | |||