Configuring Encryption at Rest
- 1 About Encryption at Rest
- 1.1 What it Protects
- 1.2 What it Does
- 1.3 Key Concepts
- 1.4 Performance Impact
- 2 Best Practices
- 3 Encryption Settings
- 4 Generating Encryption Keys
- 5 Encryption at Rest (EAR) Key Management
- 6 Enabling Encryption on a Cluster
- 7 Encrypting Existing Swarm Volumes
- 8 Troubleshooting Encryption
- 9 Disabling Encryption on a Cluster
- 10 Decommissioning an Encrypted Cluster
About Encryption at Rest
Swarm provides an option to encrypt all user data on drive volumes. Swarm encrypts the data as it writes it to the drive and decrypts it on access.Ā Because this occurs down at the kernel level, the effect is invisible: there is no difference in accessing encrypted versus unencrypted objects.Ā Encryption is controlled entirely through [disk]
settings in the configuration, but theseĀ cannot be changed dynamically (using the Swarm UI or SNMP).
Warning
Due to the high CPU and IO requirements of encryption at rest, using this feature is not recommended in storage virtual machine deployments.
What it Protects
Swarm volumes generally contain sensitive and proprietary client information.Ā Implementing encryption at rest provides two types of protection:
Security for the data on all removed and failed physical drives.
The ability to renderĀ all data in a cluster inaccessible by purging the encryption key.Ā
Important
Swarm data is only encrypted when āat restā (stored physically on the Swarm drives). The following is not encrypted:
objects within Swarm memory
objects in network transit between Swarm volumes or clusters
object metadata sent to Elasticsearch for indexing
What it Does
Encryption exists at the drive level, not during transmission. This is how encryption at rest works:
Data on each new drive is encrypted with an administrator-supplied key Swarm accesses from the volume.cfg/cluster.cfg file (Swarm does not persist any copies of the keys within the cluster).
The data on an encrypted drive removed from a chassis cannot be accessed anywhere, without the administrator-supplied key.
Swarm can access the data on an encrypted drive moved to another cluster by using the administrator-supplied key.Ā
All data on encrypted Swarm volumes are permanently and safely inaccessible if the administrator-supplied key is destroyed.Ā
There is no method for recovering data if the administrator-suppliedĀ key is lost.
Caution
DataCore cannot restore lost keys, and there is no master key. Swarm cluster administrators are solely responsible forĀ managingĀ these keys, and they must protect the key by storing a copy in a safe and secure location.
Key Concepts
Volumes encrypting data make use of encryption keys, and Swarm does not reformat existing Swarm volumes to enable encryption. Here are some implications:
Existing Volumes: Nothing changes until adding a new volume on a node with the new settings if encryption is enabled on an existing storage cluster. For Swarm to reformat a volume for encryption, the node must be rebooted with the new settings and the volume must be a non-Swarm (new or retired) drive.
Mixed Volumes: It is no trouble having a blend of encrypted and unencrypted volumes in a cluster and within a given node.
Converting Volumes: To have encryption implemented across an existing cluster, reboot the nodes with the new settings and systematically retire, reformat, and add back the volumes, at which time Swarm sets up the hardware for encryption. See Retiring Hardware.
Replication: Because encryption is low-level (local to the drive), it has no effect on replication (or any other request), and the key is not needed by the target cluster. Each source volume, if encrypted, has the key needed to read itsĀ ownĀ objects and send them to the remote cluster. Whether replicated objects are encrypted is completely independent of how they are stored in the source.
Example: Suppose there are three nodes in an existing source cluster and it is decided to enable encryption at rest. Update the configuration with the needed settings. AddĀ a fourth node (Node 4) to the cluster and boot it individually. Nodes 1 through 3 do not have the encryption settings because they have not been rebooted, butĀ Node 4 does have the settings to apply to new volumes. Since this node has booted with fresh, non-Swarm drives, Node 4's volumes areĀ allĀ encrypted at rest. For each request Node 4Ā receives, it uses encryption keys to write and read from the encrypted volumes. That is, if Node 3 needs to write an object to Node 4, Node 4 uses keys to store the object with encryption automatically. Given a remote replication cluster, the principle is the same. The source cluster (with Node 4) tells the target cluster to fetch specific objects for replication. Node 1 at the target cluster asks Node 4 at the source cluster for some objects. Since Node 4 has the keys, it can read the object from a drive and return the object to Node 1 in the target cluster. How Node 1 in the target cluster stores the object is up toĀ thatĀ node's configuration. Because encryption is completely local, the target cluster volumes are encrypted if set up.
Performance Impact
Encryption while reading and writing is a CPU-intensive activity and can typically expect to see a 10-30% performance overhead depending upon workload and hardware. The 2010 Intel Core processor family and later include special AES-NI instructions that implement the more complex and performance intensive steps of AES encryption. These instructions are implemented by AMD in processors starting late in 2011. Swarm's kernel takes advantage of the AES-NI instruction set if available in the CPU.
For more information, see IntelĀ® Advanced Encryption Standard Instructions (AES-NI) and AES instruction set .
Best Practices
Approach encryption as a cluster-wide setting.Ā Although it is possible to enable encryption separately on each chassis (each has a separateĀ
volume.cfg
), use the same encryption settings cluster-wide.Exception: Use chassis-specific encryption keys, if needed.
Update the configuration settings and thenĀ systematically retire and reformat existing drives to verify an entire cluster is encrypted.
Systematically retire and reformat existing drives so they use the new key to change encryption keys.
Elasticsearch recommends implementing the encryption methodĀ dm-crypt to guarantee that Elasticsearch metadata content is also encrypted. Swarm does not automate or manage the encryption key process for Elasticsearch volumes.
List the keys first in case there are keys in use that will need to be re-populated after the key list is deleted.
Encryption Settings
Volume encryption settings and keys are configured throughĀ [disk] settings in the volume.cfg/cluster.cfg file.
[disk] Settings | Default | Description |
---|---|---|
encryptNewVolumes |
| Indicates new Swarm volumes should be encrypted with the specified primary key. Set |
encryptionKeys |
| Swarm uses them to read volumes encrypted with these keys. Example:
Use the |
encryptionKeyPrimary | | String. Contains the name of the encryption key to be used to format new encrypted Swarm volumes. |
encryptionCipher |
| String. Indicates the preferred cipher algorithm to use when formatting new volumes. Keep the default unless directed otherwise. Valid values: aes-xts-plain64, aes-cbc-essiv |
encryptionKeySize |
| Integer (in bits). Indicates the preferred key size to use when formatting new volumes. Keep the default unless directed otherwise. Valid values: 128, 256, 512 |
encryptionHash |
| Indicates the preferred hash algorithm to use when formatting new volumes. Keep the default unless directed otherwise. Valid values: sha256, sha512 |
encryptionIterationTime |
| Integer (in milliseconds). Indicates the maximum iteration time LUKS uses to derive a key to use when formatting new volumes. Keep the default unless directed otherwise. Valid values: positive integers ā„ 1000 |
Generating Encryption Keys
Create encryption keys using tools available from the standard Linux and Windows OS package repositories.
Here is an example script for generating a key:
Generate Encryption Key
#!/usr/bin/python
import random
random.seed()
print "%064x" % random.getrandbits(512)
Encryption at Rest (EAR) Key Management
SCS Instructions
It is possible to set a key for EAR at install time for SCS. Even so, it may be necessary to manage EAR keys post-install, as follows:
scsctl storage config set -d 'disk.encryptionKeys={"name1": "key1", "name2:"key2", ...}'
Here, āname1:ākey1ā denotes the key-pair for the key name and encryption key string.
You can read the current value of disk.encryptionKeys using the command below:
scsctl storage config show -d ādisk.encryptionKeysā
If it is necessary to delete the keys under SCS, the following command can be issued:
CSN / USB Key Boot (Legacy)
Provide physical security measures to verify encryption keys are protected (on the physical chassis with USB sticks, or on the CSN) from both theft and loss.
Enabling Encryption on a Cluster
Swarm begins encrypting everyĀ newĀ (not formatted by Swarm) volume it detects and formats when enabling encryption for a cluster and setting up the required encryption keys.
To implement encryption across a cluster, do the following:
Open the cluster configuration (
node.cfg/cluster.cfg
file) for editing.Add appropriate values for these settings:
[disk]
encryptNewVolumes = true
encryptionKeys = {'key_2018-03-19': 'a24f8ec391ab3341', 'key_2016-09-27': 'de3498245ce8bf89'}
encryptionKeyPrimary = key_2018-03-19
Secure copies of the encryption keys.
Reboot the cluster to activate the settings change.
Add any new hardware, which Swarm formats for encryption.
Encrypting Existing Swarm Volumes
Reformat and remount the volumes if retiring volumes to implement encryption at rest. Contact DataCore Support for a utility to streamline this process. (v10.1)
Alternatively, seeĀ Encrypting Existing Swarm Volumes Manually.
Troubleshooting Encryption
Unmountable Volumes
This is how Swarm handles volumes it cannot mount:
Encrypted Swarm volume Swarm cannot open | This occurs if the key is missing. Swarm ignores the volume and logs an error. |
---|---|
Encrypted non-Swarm volume | Swarm ignores the volume and doesĀ notĀ format it. |
Unencrypted non-Swarm volume | A 60-second countdown timer is displayed on the physical console to provide time to prevent erroneous formatting if non-blank storage volume that appears to have data from other operating systems is detected when a Swarm Storage node boots. The most likely scenario for this happening is if a server or laptop is inadvertently PXE booted from the storage network. The countdown timer provides the opportunity to power off the system before the drive is formatted. After the 60-second countdown timer expires, Swarm formats the volume. |
Encryption Status and Logging
To see the encryption status of the volumes, view the SNMP volumes table for the cluster. Alternatively, view the status on theĀ Chassis DetailsĀ page (Managing Chassis and Drives) of the Storage UI or theĀ Node StatusĀ page (Managing Chassis and Drives - Legacy Admin Console) of the legacy Admin Console: Swarm putsĀ "(encrypted)" after the volume ID ofĀ volumes that are encrypted. Swarm writes a console message if it cannot open a volume because of a problem with the encryption key.
On startup or hotplug events, this is how Swarm logs encryption:
Each non-encrypted drive that is mounted is logged to the console, āMounted non-encrypted volume /dev/sdaā if encryption is enabled (
encryption.primaryKey
is set). An error is logged to syslog.An error is logged to the console, āUnable to mount encrypted volume /dev/sdaā if an encrypted volume cannot be mounted (such as for a missing key). An error is logged to syslog.
The log entry of that volume includes the encryption status of the volume when a volume is mounted.
During hotplug events, a volume with a non-Swarm encrypted partition is mounted and formatted as a Swarm volume immediately.
Disabling Encryption on a Cluster
The change affects how Swarm formats any new volumes it detects when disabling encryption on a cluster. Existing encrypted volumes, even if moved (hot plugged), remain encrypted and accessible only with encryption keys.
To remove encryption entirely from a cluster, do the following:
Edit the cluster configuration (.cfg) file.
Disable new volume encryption.
Remove the primary encryption key designation. (This makes it a secondary encryption key.)
Reboot all nodes requiring unencrypted volumes (to activate the settings change).
Systematically retire all encrypted volumes. Swarm relocates the data to other volumes.
Add back each volume.
Swarm formats each new volume as unencrypted and mounts it when detected.
As new data fills up each volume, it is unencrypted and requires no key.
Decommissioning an Encrypted Cluster
Perform the following to decommission an encrypted cluster, guaranteeing none of the encrypted data is ever retrievable:Ā
Delete the encryption keys from the cluster configuration (.cfg) file.Ā
Destroy all copies of the encryption keys.
Reboot the cluster.
Without the keys, Swarm cannot mount the volumes, so all are out of service.Remove, reformat, and repurpose the volumes.
Ā© DataCore Software Corporation. Ā· https://www.datacore.com Ā· All rights reserved.