KMIP and Self-Encrypting Drive Support in QuantaStor 5.11

By Lauren Grob on October 29, 2021 • ( 0 )

The latest version of QuantaStor introduces support for two important security features: KMIP and hardware encryption via SED media.

Key Management Interoperability Protocol (KMIP) is an extensible communication protocol for managing security keys that has been developed and standardized by the OASIS standards body.

SED media compliant with TCG Opal/Ruby standards, such as the latest NVMe devices, can now be used to create both scale-up and scale-out Storage Pools. We see about a 30% boost in performance through the use of SED media versus software encryption that is AES-NI accelerated.

How does QuantaStor integrate with KMIP?

QuantaStor integrates with KMIP via a new feature called Key Server Profiles. Key Server Profiles contain the IP, certificates, and credentials for communicating with a KMIP Server.

When an encrypted Storage Pool is created one can optionally select a Key Server Profile to use for key management and this works for both software and hardware encryption.

Whenever a system is rebooted or a Storage Pool is started, QuantaStor communicates with the KMIP server to access the keys and unlock the media.

QuantaStor supports hardware encryption when used with TCG Opal 2 or Ruby compliant SED media which are both common on the latest generation of SSDs and NVMe devices. QuantaStor also supports software encryption which is hardware accelerated using AES-NI.

*Adding new KMIP servers to a QuantaStor storage grid is done by adding a Key Server Profile. Multiple KMIP servers may be added and may be used by both scale-up and scale-out storage pools.*

What is a Self-Encrypting Drive (SED)?

Most new NVMe SSDs and even many older SAS and SATA SSDs have built-in data encryption capabilities. HDDs with built-in data encryption capabilities are usually special models of enterprise HDDs. Media with an encryption hardware build are referred to as having Self-Encrypting Drive (SED) and/or Full-Drive Encryption (FDE) features and devices with these features also universally support Instant Secure Erase.

When looking for SED media, look at the vendor specifications for the device and make sure that it is Opal or Ruby compliant. These are the names of the SED standards developed by the Trusted Computing Group (TCG).

How do SED devices work?

When data is encrypted it’s done using an encryption algorithm with AES-256, the most common algorithm used to encrypt/decrypt data. SED devices have this logic built into a chip in the media. Modern CPUs from Intel and AMD also have special hardware instructions built into the CPU for encryption and decryption and this gets leveraged by most web browsers so you’re probably using it right now.

Encryption is done using a unique encryption key that is generated using special random number generation logic to ensure you have a unique key. The trouble with encrypting data is that it can be expensive to change the data encryption key because this means all the data you encrypted with it needs to be decrypted with the old key and re-encrypted with the new key which can be very time consuming.

For this reason data encryption systems typically use a system of two keys, and this is the case with SED media as well. These two keys are referred to as the Key Encryption Key (KEK) which is a special key that is only used to decrypt the Data Encryption Key (DEK) that is used to actually encrypt and decrypt data on a device.

A good analogy here is how real estate agents put a special lock on the door that contains the key to a house. Agents then just use their code to unlock the box (ie, the KEK) and get access to the house key (the DEK) which enables them to unlock the door and show the house.

SED devices have tamper proofing systems so that in the event anyone tries to disassemble the hardware to get access to the DEK it just gets cleared. With this system of two keys one can change the KEK at any time and the data doesn’t need to be re-encrypted because the DEK doesn’t change. Also, if the DEK is cleared and regenerated this is essentially a fast way to securely erase the entire device. You’ll see this listed as the ISE or Instant Secure Erase feature in the specification for the device, ISE is essentially just clearing and generating a new DEK.

Summary

With SED hardware encryption, organizations can now get the full performance of their storage media, reduce the load on their CPUs, and improve overall security for their organization. This is also helpful for organizations that need to be compliant to security standards like HIPAA where encryption of data at rest is required.

Along with using SED media, larger organizations should look at centralizing the management of their encryption keys with a KMIP compatible Key Management Server. This makes it much easier to control systems from a security perspective, backup encryption keys, and enforce rules around strong encryption for the whole organization.

QuantaStor 5.11 with support for KMIP and SED media will be generally available in mid-November. For more information on QuantaStor, visit osnexus.com. To download QuantaStor to try out the new SED and KMIP features, go to osnexus.com/freetrial.