SlideShare a Scribd company logo

Nexsan_E-Series Encryption at Rest SED_US_Eng

D
Deborah Lindquist
1 of 5
Download to read offline
WHITEPAPER E-SERIES ENCRYPTION
WHITEPAPER 2 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) INTRODUCTION This paper describes the use-cases and implementation of self-encrypting drive (SED) support in the E-Series V software, implemented in version R011.1204 and later. SEDs can provide protection for data when drives leave the control of the user, whether intentionally or if stolen. As a consequence of encryption, data can also be securely erased in the event of repurposing of a drive or set of drives. OVERVIEW E-Series software supports SEDs to provide data-at-rest protection of user data on supported SAS HDDs or SSDs, once a drive has left the control of the user. This is enabled on a per-RAID set basis, and the complete system can include both SED and non-SED arrays. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. SED OVERVIEW SEDs are available from all major HDD and SSD vendors. A SED always performs encryption of all data as it is written to the media, regardless of any system or user involvement. At manufacturing time (or on demand) the drive creates a Data Encryption Key (DEK) that it stores internally to the drive, and it uses this key to encrypt and decrypt all data as it is written or read. By default, all SEDs operate identically to a non-SED drive, and can be used in non-SED mode. Since all encryption is handled in hardware, there is no performance impact to using the encryption feature. To use the drive in a secure mode, it is necessary to lock the drive. To do this, an Authentication Key (AK) is created by the drive management software (controller software in the case of E-Series V). This AK is used to encrypt the DEK, which is also typically changed at the time of locking. For more details on this process, refer to page 4.
WHITEPAPER 3 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) USE CASES There are a number of common use cases for SEDs, all associated with protecting data in various situations. The most typical use cases are described below. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. PROTECTION OF DATA ON DRIVES RETURNED FOR RMA When drives fail in an array during the warranty period, they are typically returned to the manufacturer for replacement. Often, data is still present and recoverable on the drives. Even drives that have been used in a RAID level that uses striping can have significant amount of recoverable user data, since the large stripe sizes used are sufficient to contain large fragments of files or databases. If these drives are part of an encrypted array, then any data on them is not accessible without the key, which is not stored on the drive. Therefore access to the drive’s user data is prevented. PROTECTION OF DATA ON STOLEN DRIVES If one or more drives from an encrypted array are stolen, then any data on them is not accessible without the key, which is not stored on any of the drives. This prevents access to the user data. Note that physical or administrative access to the complete system including the controllers does not protect from unauthorized access, since the storage system controller automatically unlocks the drives once the system is powered on. Appropriate security practices must still be employed to secure data path access to the storage system. DRIVE RETIREMENT OR REPURPOSING If an encrypted array of drives is deleted, part of the deletion process ensures the drive’s encryption key (DEK) is changed. This immediately ensures that the contents of the drive cannot be read, and the drive can be safely repurposed or removed from the system with no risk of exposing previous user data. An individual unused drive can also have its encryption key (DEK) changed to perform a secure erase. Without SEDs, drive retirement can take a significant amount of time to overwrite the data, and there is no guarantee that all data is erased. Secure warehousing of the drive is expensive and means the drive cannot be reused and physical destruction before the end of its useful life is wasteful. SECURE SHIPMENT Company mergers and consolidation can often lead to a requirement to move storage systems between datacenters. This poses a challenge where confidential data is stored on the drives. Using SEDs, it is possible to securely ship the drives without using secure shipping solutions and incurring the associated additional shipment costs. To ensure security of the data if drives are stolen in transit, controllers that contain the keys must be shipped separately.
WHITEPAPER 4 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) DRIVE UNLOCKING The diagram below illustrates the process of unlocking and accessing data on a locked SED. The E-Series software automatically unlocks an array when it is powered on, so no additional user interaction is required to use the array encryption functionality. The drive stores the encrypted copy of the DEK internally, and uses the AK to validate whether to unlock the drive. Once unlocked, the drive remains unlocked until it is powered off. Every time the system needs to unlock the drive, it must provide the AK. The AK can be changed at any time, and since it is only used to encrypt the DEK, the underlying data remains unaffected. For ease of management, the same AK may be used for a number of drives. The drive does not store the AK internally, it stores a hash of the AK to use for validation, and once the AK is validated, it uses the provided AK to decrypt the DEK. Yes No 3 Drive Remains Locked Encrypted DataDecrypt Ecryption Key Send Authentication Key to drive 2 Authenticated ? Clear Data 1 4 1. The controller sends the Authentication Key (AK) to the drive. 2. The drive hashes the authentication key and compares it with its stored hash to validate. 3. If the authentication is validated, the drive uses the provided authentication key to decrypt the DEK, stored on the drive media. 4. From this point, the drive automatically encrypts and decrypts all data passing through it. 1 2 3 4
WHITEPAPER 5 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) REFERENCES Trusted Computing Group (TCG) SED specifications: http://www.trustedcomputinggroup.org/solutions/data_protection ABOUT IMATION Imation is a global data storage and information security company. Imation’s Nexsan portfolio features solid-state optimized unified hybrid storage systems, secure automated archive solutions and high-density enterprise storage arrays. Nexsan solutions are ideal for mission-critical IT applications such as virtualization, cloud, databases, and collaboration; and energy efficient, high-density storage for backup and archiving. There are more than 11,000 customers of Nexsan solutions worldwide with more than 33,000 systems deployed since 1999. Nexsan systems are delivered through a worldwide network of cloud service providers, value-added resellers and solutions integrators. For more information, visit www.imation.com/nexsan. KEY GENERATION AND STORAGE The per-array authentication key (AK) is generated internally on the controller, and is stored in a private area on each controller. For redundancy, this is mirrored in the partner controller, so the system can automatically unlock the array in the event of controller failure. A replacement controller will automatically have the necessary keys installed. When an encrypted array is created or an array’s AK is changed, it is strongly recommended to download and make a backup of the key. This key should be securely stored in compliance with the user’s normal security practices, and a fresh backup made as it is changed. The AK can be changed at any time, if this is necessary for compliance with security practices. Whenever a key is created or changed, the user is prompted to download the key file for storage. Access to this file should be restricted to ensure the keys are kept private.

Recommended

TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06Tyson Supasatit
 
Symantec Backup Exec 2014 licensing guide
Symantec Backup Exec 2014 licensing guideSymantec Backup Exec 2014 licensing guide
Symantec Backup Exec 2014 licensing guideSymantec
 
Nexsan products overview / Nexsan perspectiva de productos
Nexsan products overview / Nexsan perspectiva de productosNexsan products overview / Nexsan perspectiva de productos
Nexsan products overview / Nexsan perspectiva de productosSuministros Obras y Sistemas
 
Returnil 2010
Returnil 2010Returnil 2010
Returnil 2010Rose Banioki
 
2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)infortrendgroup
 
recovery-series-family-datasheet 2015
recovery-series-family-datasheet 2015recovery-series-family-datasheet 2015
recovery-series-family-datasheet 2015Michael Standen
 
Configuring a highly available Microsoft Exchange Server 2013 environment on ...
Configuring a highly available Microsoft Exchange Server 2013 environment on ...Configuring a highly available Microsoft Exchange Server 2013 environment on ...
Configuring a highly available Microsoft Exchange Server 2013 environment on ...Principled Technologies
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010lincolng
 

Recommended

TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06Tyson Supasatit
 
Symantec Backup Exec 2014 licensing guide
Symantec Backup Exec 2014 licensing guideSymantec Backup Exec 2014 licensing guide
Symantec Backup Exec 2014 licensing guideSymantec
 
Nexsan products overview / Nexsan perspectiva de productos
Nexsan products overview / Nexsan perspectiva de productosNexsan products overview / Nexsan perspectiva de productos
Nexsan products overview / Nexsan perspectiva de productosSuministros Obras y Sistemas
 
Returnil 2010
Returnil 2010Returnil 2010
Returnil 2010Rose Banioki
 
2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)infortrendgroup
 
recovery-series-family-datasheet 2015
recovery-series-family-datasheet 2015recovery-series-family-datasheet 2015
recovery-series-family-datasheet 2015Michael Standen
 
Configuring a highly available Microsoft Exchange Server 2013 environment on ...
Configuring a highly available Microsoft Exchange Server 2013 environment on ...Configuring a highly available Microsoft Exchange Server 2013 environment on ...
Configuring a highly available Microsoft Exchange Server 2013 environment on ...Principled Technologies
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010lincolng
 
Date Guard Remote Backup
Date Guard Remote BackupDate Guard Remote Backup
Date Guard Remote BackupThecus Technology Corp.,
 
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013Jaroslav Prodelal
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewIT Tech
 
E56576 01
E56576 01E56576 01
E56576 01Wilfred Mbithi Luvai
 
Introduzione alla nuova famiglia di NAS SnapServer
Introduzione alla nuova famiglia di NAS SnapServerIntroduzione alla nuova famiglia di NAS SnapServer
Introduzione alla nuova famiglia di NAS SnapServerPaolo Rossi
 
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage EMC
 
it's time for data recovery company to upgrade your imaging tool
it's time for data recovery company to upgrade your imaging toolit's time for data recovery company to upgrade your imaging tool
it's time for data recovery company to upgrade your imaging toolking
 
Field installation guide-v3_1
Field installation guide-v3_1Field installation guide-v3_1
Field installation guide-v3_1Ganesh Joshi Regmi
 
M sata raid_adaptec
M sata raid_adaptecM sata raid_adaptec
M sata raid_adapteclaonap166
 
SafePeak Installation guide
SafePeak Installation guideSafePeak Installation guide
SafePeak Installation guideVladi Vexler
 
RAID
RAIDRAID
RAIDMukesh Tekwani
 
Backup of Data Residing on DSS V6 with Backup Exec
Backup of Data Residing on DSS V6 with Backup ExecBackup of Data Residing on DSS V6 with Backup Exec
Backup of Data Residing on DSS V6 with Backup Execopen-e
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...ginniapps
 
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier RenaultOSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier RenaultNETWAYS
 
Power vault md32xxi deployment guide for v mware esx4.1 r2
Power vault md32xxi deployment guide for v mware esx4.1 r2Power vault md32xxi deployment guide for v mware esx4.1 r2
Power vault md32xxi deployment guide for v mware esx4.1 r2laurentgras
 
ProServer - Direct network attached CD / DVD Server and Loader
ProServer - Direct network attached CD / DVD Server and LoaderProServer - Direct network attached CD / DVD Server and Loader
ProServer - Direct network attached CD / DVD Server and LoaderPrime Array
 
Raid technology
Raid technologyRaid technology
Raid technologyCHANDAN KUMAR
 
Dataguard first apply patch
Dataguard first apply patchDataguard first apply patch
Dataguard first apply patchPalash Sarkar
 
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 DatasheetLenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 DatasheetMaychuDelltphcm
 
ESM Installation Guide (ESM v6.9.1c)
ESM Installation Guide (ESM v6.9.1c)ESM Installation Guide (ESM v6.9.1c)
ESM Installation Guide (ESM v6.9.1c)Protect724tk
 
Secure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionSecure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionInka Traktman
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 

More Related Content

What's hot

Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013Jaroslav Prodelal
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewIT Tech
 
Introduzione alla nuova famiglia di NAS SnapServer
Introduzione alla nuova famiglia di NAS SnapServerIntroduzione alla nuova famiglia di NAS SnapServer
Introduzione alla nuova famiglia di NAS SnapServerPaolo Rossi
 
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage EMC
 
it's time for data recovery company to upgrade your imaging tool
it's time for data recovery company to upgrade your imaging toolit's time for data recovery company to upgrade your imaging tool
it's time for data recovery company to upgrade your imaging toolking
 
M sata raid_adaptec
M sata raid_adaptecM sata raid_adaptec
M sata raid_adapteclaonap166
 
SafePeak Installation guide
SafePeak Installation guideSafePeak Installation guide
SafePeak Installation guideVladi Vexler
 
Backup of Data Residing on DSS V6 with Backup Exec
Backup of Data Residing on DSS V6 with Backup ExecBackup of Data Residing on DSS V6 with Backup Exec
Backup of Data Residing on DSS V6 with Backup Execopen-e
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...ginniapps
 
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier RenaultOSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier RenaultNETWAYS
 
Power vault md32xxi deployment guide for v mware esx4.1 r2
Power vault md32xxi deployment guide for v mware esx4.1 r2Power vault md32xxi deployment guide for v mware esx4.1 r2
Power vault md32xxi deployment guide for v mware esx4.1 r2laurentgras
 
ProServer - Direct network attached CD / DVD Server and Loader
ProServer - Direct network attached CD / DVD Server and LoaderProServer - Direct network attached CD / DVD Server and Loader
ProServer - Direct network attached CD / DVD Server and LoaderPrime Array
 
Dataguard first apply patch
Dataguard first apply patchDataguard first apply patch
Dataguard first apply patchPalash Sarkar
 
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 DatasheetLenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 DatasheetMaychuDelltphcm
 
ESM Installation Guide (ESM v6.9.1c)
ESM Installation Guide (ESM v6.9.1c)ESM Installation Guide (ESM v6.9.1c)
ESM Installation Guide (ESM v6.9.1c)Protect724tk
 

What's hot (20)

Date Guard Remote Backup
Date Guard Remote BackupDate Guard Remote Backup
Date Guard Remote Backup
 
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overview
 
E56576 01
E56576 01E56576 01
E56576 01
 
Introduzione alla nuova famiglia di NAS SnapServer
Introduzione alla nuova famiglia di NAS SnapServerIntroduzione alla nuova famiglia di NAS SnapServer
Introduzione alla nuova famiglia di NAS SnapServer
 
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
 
it's time for data recovery company to upgrade your imaging tool
it's time for data recovery company to upgrade your imaging toolit's time for data recovery company to upgrade your imaging tool
it's time for data recovery company to upgrade your imaging tool
 
Field installation guide-v3_1
Field installation guide-v3_1Field installation guide-v3_1
Field installation guide-v3_1
 
M sata raid_adaptec
M sata raid_adaptecM sata raid_adaptec
M sata raid_adaptec
 
SafePeak Installation guide
SafePeak Installation guideSafePeak Installation guide
SafePeak Installation guide
 
RAID
RAIDRAID
RAID
 
Backup of Data Residing on DSS V6 with Backup Exec
Backup of Data Residing on DSS V6 with Backup ExecBackup of Data Residing on DSS V6 with Backup Exec
Backup of Data Residing on DSS V6 with Backup Exec
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
 
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier RenaultOSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
 
Power vault md32xxi deployment guide for v mware esx4.1 r2
Power vault md32xxi deployment guide for v mware esx4.1 r2Power vault md32xxi deployment guide for v mware esx4.1 r2
Power vault md32xxi deployment guide for v mware esx4.1 r2
 
ProServer - Direct network attached CD / DVD Server and Loader
ProServer - Direct network attached CD / DVD Server and LoaderProServer - Direct network attached CD / DVD Server and Loader
ProServer - Direct network attached CD / DVD Server and Loader
 
Raid technology
Raid technologyRaid technology
Raid technology
 
Dataguard first apply patch
Dataguard first apply patchDataguard first apply patch
Dataguard first apply patch
 
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 DatasheetLenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
 
ESM Installation Guide (ESM v6.9.1c)
ESM Installation Guide (ESM v6.9.1c)ESM Installation Guide (ESM v6.9.1c)
ESM Installation Guide (ESM v6.9.1c)
 

Similar to Nexsan_E-Series Encryption at Rest SED_US_Eng

Secure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionSecure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionInka Traktman
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Data Backup, Archiving & Disaster Recovery October 2011
Data Backup, Archiving & Disaster Recovery October 2011Data Backup, Archiving & Disaster Recovery October 2011
Data Backup, Archiving & Disaster Recovery October 2011zaheer756
 
EMC Symmetrix Data at Rest Encryption - Detailed Review
EMC Symmetrix Data at Rest Encryption - Detailed Review EMC Symmetrix Data at Rest Encryption - Detailed Review
EMC Symmetrix Data at Rest Encryption - Detailed Review EMC
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingDLT Solutions
 
TECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability Attributes
TECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability AttributesTECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability Attributes
TECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability AttributesSymantec
 
Zettaset Elastic Big Data Security for Greenplum Database
Zettaset Elastic Big Data Security for Greenplum DatabaseZettaset Elastic Big Data Security for Greenplum Database
Zettaset Elastic Big Data Security for Greenplum DatabasePivotalOpenSourceHub
 
twp-oracledatabasebackupservice-2183633
twp-oracledatabasebackupservice-2183633twp-oracledatabasebackupservice-2183633
twp-oracledatabasebackupservice-2183633Arush Jain
 
Data Protection Fde Solution Presentation
Data Protection Fde Solution PresentationData Protection Fde Solution Presentation
Data Protection Fde Solution Presentationjuniortstanley
 
Protect data at rest with negligible impact on NVMe disk performance metrics
Protect data at rest with negligible impact on NVMe disk performance metricsProtect data at rest with negligible impact on NVMe disk performance metrics
Protect data at rest with negligible impact on NVMe disk performance metricsPrincipled Technologies
 
Backup exec 2014 deduplication option white paper
Backup exec 2014 deduplication option white paperBackup exec 2014 deduplication option white paper
Backup exec 2014 deduplication option white paperSymantec
 
DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)
DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)
DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)Peter Vervaene
 
Bloombase transparent at-rest data encryption security for Dell EqualLogic
Bloombase transparent at-rest data encryption security for Dell EqualLogic Bloombase transparent at-rest data encryption security for Dell EqualLogic
Bloombase transparent at-rest data encryption security for Dell EqualLogic Bloombase
 
Sql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedSql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedDuncan Greaves PhD
 
EMC for Network Attached Storage (NAS) Backup and Recovery Using NDMP
EMC for Network Attached Storage (NAS) Backup and Recovery Using NDMPEMC for Network Attached Storage (NAS) Backup and Recovery Using NDMP
EMC for Network Attached Storage (NAS) Backup and Recovery Using NDMPEMC
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software ReleaseIsabella789
 

Similar to Nexsan_E-Series Encryption at Rest SED_US_Eng (20)

Secure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionSecure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protection
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
Data Backup, Archiving & Disaster Recovery October 2011
Data Backup, Archiving & Disaster Recovery October 2011Data Backup, Archiving & Disaster Recovery October 2011
Data Backup, Archiving & Disaster Recovery October 2011
 
EMC Symmetrix Data at Rest Encryption - Detailed Review
EMC Symmetrix Data at Rest Encryption - Detailed Review EMC Symmetrix Data at Rest Encryption - Detailed Review
EMC Symmetrix Data at Rest Encryption - Detailed Review
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
 
TECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability Attributes
TECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability AttributesTECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability Attributes
TECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability Attributes
 
Zettaset Elastic Big Data Security for Greenplum Database
Zettaset Elastic Big Data Security for Greenplum DatabaseZettaset Elastic Big Data Security for Greenplum Database
Zettaset Elastic Big Data Security for Greenplum Database
 
twp-oracledatabasebackupservice-2183633
twp-oracledatabasebackupservice-2183633twp-oracledatabasebackupservice-2183633
twp-oracledatabasebackupservice-2183633
 
Data Protection Fde Solution Presentation
Data Protection Fde Solution PresentationData Protection Fde Solution Presentation
Data Protection Fde Solution Presentation
 
Veracrypt
VeracryptVeracrypt
Veracrypt
 
Protect data at rest with negligible impact on NVMe disk performance metrics
Protect data at rest with negligible impact on NVMe disk performance metricsProtect data at rest with negligible impact on NVMe disk performance metrics
Protect data at rest with negligible impact on NVMe disk performance metrics
 
Backup exec 2014 deduplication option white paper
Backup exec 2014 deduplication option white paperBackup exec 2014 deduplication option white paper
Backup exec 2014 deduplication option white paper
 
DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)
DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)
DataKeeper_SAN-SANLess_Clusters_Windows_Product_Brief(RaxcoBE)
 
Bloombase transparent at-rest data encryption security for Dell EqualLogic
Bloombase transparent at-rest data encryption security for Dell EqualLogic Bloombase transparent at-rest data encryption security for Dell EqualLogic
Bloombase transparent at-rest data encryption security for Dell EqualLogic
 
Sql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedSql Server 2016 Always Encrypted
Sql Server 2016 Always Encrypted
 
The Benefits of using Tegile
The Benefits of using TegileThe Benefits of using Tegile
The Benefits of using Tegile
 
EMC for Network Attached Storage (NAS) Backup and Recovery Using NDMP
EMC for Network Attached Storage (NAS) Backup and Recovery Using NDMPEMC for Network Attached Storage (NAS) Backup and Recovery Using NDMP
EMC for Network Attached Storage (NAS) Backup and Recovery Using NDMP
 
DataCore Software with Cisco UCS Complete Unification of the Data Center Ser...
DataCore Software with Cisco UCS Complete Unification of the Data Center Ser... DataCore Software with Cisco UCS Complete Unification of the Data Center Ser...
DataCore Software with Cisco UCS Complete Unification of the Data Center Ser...
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
 

More from Deborah Lindquist

Deborah Lindquist Resume_11_2016
Deborah Lindquist Resume_11_2016Deborah Lindquist Resume_11_2016
Deborah Lindquist Resume_11_2016Deborah Lindquist
 
Montreal posters 24x36_smaller
Montreal posters 24x36_smallerMontreal posters 24x36_smaller
Montreal posters 24x36_smallerDeborah Lindquist
 
Deborah Lindquist Portfolio 2016
Deborah Lindquist Portfolio 2016Deborah Lindquist Portfolio 2016
Deborah Lindquist Portfolio 2016Deborah Lindquist
 

More from Deborah Lindquist (10)

Deborah Lindquist Resume_11_2016
Deborah Lindquist Resume_11_2016Deborah Lindquist Resume_11_2016
Deborah Lindquist Resume_11_2016
 
UK_DE_Survey White Paper
UK_DE_Survey White PaperUK_DE_Survey White Paper
UK_DE_Survey White Paper
 
TDK plastic bag concepts
TDK plastic bag conceptsTDK plastic bag concepts
TDK plastic bag concepts
 
RDX Pad Print Program
RDX Pad Print ProgramRDX Pad Print Program
RDX Pad Print Program
 
Nexsan_About Us Flyer
Nexsan_About Us FlyerNexsan_About Us Flyer
Nexsan_About Us Flyer
 
Nexsan Axle Flyer
Nexsan Axle FlyerNexsan Axle Flyer
Nexsan Axle Flyer
 
Montreal posters 24x36_smaller
Montreal posters 24x36_smallerMontreal posters 24x36_smaller
Montreal posters 24x36_smaller
 
LINK paper bag
LINK paper bagLINK paper bag
LINK paper bag
 
BBBB ad concepts
BBBB ad conceptsBBBB ad concepts
BBBB ad concepts
 
Deborah Lindquist Portfolio 2016
Deborah Lindquist Portfolio 2016Deborah Lindquist Portfolio 2016
Deborah Lindquist Portfolio 2016
 

Nexsan_E-Series Encryption at Rest SED_US_Eng

  • 2. WHITEPAPER 2 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) INTRODUCTION This paper describes the use-cases and implementation of self-encrypting drive (SED) support in the E-Series V software, implemented in version R011.1204 and later. SEDs can provide protection for data when drives leave the control of the user, whether intentionally or if stolen. As a consequence of encryption, data can also be securely erased in the event of repurposing of a drive or set of drives. OVERVIEW E-Series software supports SEDs to provide data-at-rest protection of user data on supported SAS HDDs or SSDs, once a drive has left the control of the user. This is enabled on a per-RAID set basis, and the complete system can include both SED and non-SED arrays. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. SED OVERVIEW SEDs are available from all major HDD and SSD vendors. A SED always performs encryption of all data as it is written to the media, regardless of any system or user involvement. At manufacturing time (or on demand) the drive creates a Data Encryption Key (DEK) that it stores internally to the drive, and it uses this key to encrypt and decrypt all data as it is written or read. By default, all SEDs operate identically to a non-SED drive, and can be used in non-SED mode. Since all encryption is handled in hardware, there is no performance impact to using the encryption feature. To use the drive in a secure mode, it is necessary to lock the drive. To do this, an Authentication Key (AK) is created by the drive management software (controller software in the case of E-Series V). This AK is used to encrypt the DEK, which is also typically changed at the time of locking. For more details on this process, refer to page 4.
  • 3. WHITEPAPER 3 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) USE CASES There are a number of common use cases for SEDs, all associated with protecting data in various situations. The most typical use cases are described below. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. PROTECTION OF DATA ON DRIVES RETURNED FOR RMA When drives fail in an array during the warranty period, they are typically returned to the manufacturer for replacement. Often, data is still present and recoverable on the drives. Even drives that have been used in a RAID level that uses striping can have significant amount of recoverable user data, since the large stripe sizes used are sufficient to contain large fragments of files or databases. If these drives are part of an encrypted array, then any data on them is not accessible without the key, which is not stored on the drive. Therefore access to the drive’s user data is prevented. PROTECTION OF DATA ON STOLEN DRIVES If one or more drives from an encrypted array are stolen, then any data on them is not accessible without the key, which is not stored on any of the drives. This prevents access to the user data. Note that physical or administrative access to the complete system including the controllers does not protect from unauthorized access, since the storage system controller automatically unlocks the drives once the system is powered on. Appropriate security practices must still be employed to secure data path access to the storage system. DRIVE RETIREMENT OR REPURPOSING If an encrypted array of drives is deleted, part of the deletion process ensures the drive’s encryption key (DEK) is changed. This immediately ensures that the contents of the drive cannot be read, and the drive can be safely repurposed or removed from the system with no risk of exposing previous user data. An individual unused drive can also have its encryption key (DEK) changed to perform a secure erase. Without SEDs, drive retirement can take a significant amount of time to overwrite the data, and there is no guarantee that all data is erased. Secure warehousing of the drive is expensive and means the drive cannot be reused and physical destruction before the end of its useful life is wasteful. SECURE SHIPMENT Company mergers and consolidation can often lead to a requirement to move storage systems between datacenters. This poses a challenge where confidential data is stored on the drives. Using SEDs, it is possible to securely ship the drives without using secure shipping solutions and incurring the associated additional shipment costs. To ensure security of the data if drives are stolen in transit, controllers that contain the keys must be shipped separately.
  • 4. WHITEPAPER 4 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) DRIVE UNLOCKING The diagram below illustrates the process of unlocking and accessing data on a locked SED. The E-Series software automatically unlocks an array when it is powered on, so no additional user interaction is required to use the array encryption functionality. The drive stores the encrypted copy of the DEK internally, and uses the AK to validate whether to unlock the drive. Once unlocked, the drive remains unlocked until it is powered off. Every time the system needs to unlock the drive, it must provide the AK. The AK can be changed at any time, and since it is only used to encrypt the DEK, the underlying data remains unaffected. For ease of management, the same AK may be used for a number of drives. The drive does not store the AK internally, it stores a hash of the AK to use for validation, and once the AK is validated, it uses the provided AK to decrypt the DEK. Yes No 3 Drive Remains Locked Encrypted DataDecrypt Ecryption Key Send Authentication Key to drive 2 Authenticated ? Clear Data 1 4 1. The controller sends the Authentication Key (AK) to the drive. 2. The drive hashes the authentication key and compares it with its stored hash to validate. 3. If the authentication is validated, the drive uses the provided authentication key to decrypt the DEK, stored on the drive media. 4. From this point, the drive automatically encrypts and decrypts all data passing through it. 1 2 3 4
  • 5. WHITEPAPER 5 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) REFERENCES Trusted Computing Group (TCG) SED specifications: http://www.trustedcomputinggroup.org/solutions/data_protection ABOUT IMATION Imation is a global data storage and information security company. Imation’s Nexsan portfolio features solid-state optimized unified hybrid storage systems, secure automated archive solutions and high-density enterprise storage arrays. Nexsan solutions are ideal for mission-critical IT applications such as virtualization, cloud, databases, and collaboration; and energy efficient, high-density storage for backup and archiving. There are more than 11,000 customers of Nexsan solutions worldwide with more than 33,000 systems deployed since 1999. Nexsan systems are delivered through a worldwide network of cloud service providers, value-added resellers and solutions integrators. For more information, visit www.imation.com/nexsan. KEY GENERATION AND STORAGE The per-array authentication key (AK) is generated internally on the controller, and is stored in a private area on each controller. For redundancy, this is mirrored in the partner controller, so the system can automatically unlock the array in the event of controller failure. A replacement controller will automatically have the necessary keys installed. When an encrypted array is created or an array’s AK is changed, it is strongly recommended to download and make a backup of the key. This key should be securely stored in compliance with the user’s normal security practices, and a fresh backup made as it is changed. The AK can be changed at any time, if this is necessary for compliance with security practices. Whenever a key is created or changed, the user is prompted to download the key file for storage. Access to this file should be restricted to ensure the keys are kept private.