SlideShare a Scribd company logo

Nexsan_E-Series Encryption at Rest SED_US_Eng

D
Deborah Lindquist

This whitepaper describes how the E-Series V software implements encryption on self-encrypting drives (SEDs). It supports SED encryption on a per-RAID set basis, with all drives in an encrypted array needing to be SEDs. Key use cases for SED encryption include protecting data on drives returned for repair or if stolen, securely erasing drives being retired, and enabling secure shipment of drives between data centers. The software handles unlocking of encrypted drives using an authentication key to decrypt the data encryption key stored internally on each drive.

1 of 5
Download to read offline
1
2
3
4
5
WHITEPAPER E-SERIES ENCRYPTION
WHITEPAPER 2 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) INTRODUCTION This paper describes the use-cases and implementation of self-encrypting drive (SED) support in the E-Series V software, implemented in version R011.1204 and later. SEDs can provide protection for data when drives leave the control of the user, whether intentionally or if stolen. As a consequence of encryption, data can also be securely erased in the event of repurposing of a drive or set of drives. OVERVIEW E-Series software supports SEDs to provide data-at-rest protection of user data on supported SAS HDDs or SSDs, once a drive has left the control of the user. This is enabled on a per-RAID set basis, and the complete system can include both SED and non-SED arrays. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. SED OVERVIEW SEDs are available from all major HDD and SSD vendors. A SED always performs encryption of all data as it is written to the media, regardless of any system or user involvement. At manufacturing time (or on demand) the drive creates a Data Encryption Key (DEK) that it stores internally to the drive, and it uses this key to encrypt and decrypt all data as it is written or read. By default, all SEDs operate identically to a non-SED drive, and can be used in non-SED mode. Since all encryption is handled in hardware, there is no performance impact to using the encryption feature. To use the drive in a secure mode, it is necessary to lock the drive. To do this, an Authentication Key (AK) is created by the drive management software (controller software in the case of E-Series V). This AK is used to encrypt the DEK, which is also typically changed at the time of locking. For more details on this process, refer to page 4.
WHITEPAPER 3 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) USE CASES There are a number of common use cases for SEDs, all associated with protecting data in various situations. The most typical use cases are described below. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. PROTECTION OF DATA ON DRIVES RETURNED FOR RMA When drives fail in an array during the warranty period, they are typically returned to the manufacturer for replacement. Often, data is still present and recoverable on the drives. Even drives that have been used in a RAID level that uses striping can have significant amount of recoverable user data, since the large stripe sizes used are sufficient to contain large fragments of files or databases. If these drives are part of an encrypted array, then any data on them is not accessible without the key, which is not stored on the drive. Therefore access to the drive’s user data is prevented. PROTECTION OF DATA ON STOLEN DRIVES If one or more drives from an encrypted array are stolen, then any data on them is not accessible without the key, which is not stored on any of the drives. This prevents access to the user data. Note that physical or administrative access to the complete system including the controllers does not protect from unauthorized access, since the storage system controller automatically unlocks the drives once the system is powered on. Appropriate security practices must still be employed to secure data path access to the storage system. DRIVE RETIREMENT OR REPURPOSING If an encrypted array of drives is deleted, part of the deletion process ensures the drive’s encryption key (DEK) is changed. This immediately ensures that the contents of the drive cannot be read, and the drive can be safely repurposed or removed from the system with no risk of exposing previous user data. An individual unused drive can also have its encryption key (DEK) changed to perform a secure erase. Without SEDs, drive retirement can take a significant amount of time to overwrite the data, and there is no guarantee that all data is erased. Secure warehousing of the drive is expensive and means the drive cannot be reused and physical destruction before the end of its useful life is wasteful. SECURE SHIPMENT Company mergers and consolidation can often lead to a requirement to move storage systems between datacenters. This poses a challenge where confidential data is stored on the drives. Using SEDs, it is possible to securely ship the drives without using secure shipping solutions and incurring the associated additional shipment costs. To ensure security of the data if drives are stolen in transit, controllers that contain the keys must be shipped separately.
WHITEPAPER 4 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) DRIVE UNLOCKING The diagram below illustrates the process of unlocking and accessing data on a locked SED. The E-Series software automatically unlocks an array when it is powered on, so no additional user interaction is required to use the array encryption functionality. The drive stores the encrypted copy of the DEK internally, and uses the AK to validate whether to unlock the drive. Once unlocked, the drive remains unlocked until it is powered off. Every time the system needs to unlock the drive, it must provide the AK. The AK can be changed at any time, and since it is only used to encrypt the DEK, the underlying data remains unaffected. For ease of management, the same AK may be used for a number of drives. The drive does not store the AK internally, it stores a hash of the AK to use for validation, and once the AK is validated, it uses the provided AK to decrypt the DEK. Yes No 3 Drive Remains Locked Encrypted DataDecrypt Ecryption Key Send Authentication Key to drive 2 Authenticated ? Clear Data 1 4 1. The controller sends the Authentication Key (AK) to the drive. 2. The drive hashes the authentication key and compares it with its stored hash to validate. 3. If the authentication is validated, the drive uses the provided authentication key to decrypt the DEK, stored on the drive media. 4. From this point, the drive automatically encrypts and decrypts all data passing through it. 1 2 3 4
WHITEPAPER 5 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) REFERENCES Trusted Computing Group (TCG) SED specifications: http://www.trustedcomputinggroup.org/solutions/data_protection ABOUT IMATION Imation is a global data storage and information security company. Imation’s Nexsan portfolio features solid-state optimized unified hybrid storage systems, secure automated archive solutions and high-density enterprise storage arrays. Nexsan solutions are ideal for mission-critical IT applications such as virtualization, cloud, databases, and collaboration; and energy efficient, high-density storage for backup and archiving. There are more than 11,000 customers of Nexsan solutions worldwide with more than 33,000 systems deployed since 1999. Nexsan systems are delivered through a worldwide network of cloud service providers, value-added resellers and solutions integrators. For more information, visit www.imation.com/nexsan. KEY GENERATION AND STORAGE The per-array authentication key (AK) is generated internally on the controller, and is stored in a private area on each controller. For redundancy, this is mirrored in the partner controller, so the system can automatically unlock the array in the event of controller failure. A replacement controller will automatically have the necessary keys installed. When an encrypted array is created or an array’s AK is changed, it is strongly recommended to download and make a backup of the key. This key should be securely stored in compliance with the user’s normal security practices, and a fresh backup made as it is changed. The AK can be changed at any time, if this is necessary for compliance with security practices. Whenever a key is created or changed, the user is prompted to download the key file for storage. Access to this file should be restricted to ensure the keys are kept private.

More Related Content

PDF
TP564_DriveTrust_Oct06
Tyson Supasatit
 
PDF
Symantec Backup Exec 2014 licensing guide
Symantec
 
PPTX
Nexsan products overview / Nexsan perspectiva de productos
Suministros Obras y Sistemas
 
PDF
Returnil 2010
Rose Banioki
 
PDF
2018 Infortrend All Flash Arrays Introduction (GS3025A)
infortrendgroup
 
PDF
recovery-series-family-datasheet 2015
Michael Standen
 
PDF
Configuring a highly available Microsoft Exchange Server 2013 environment on ...
Principled Technologies
 
PPTX
Unitrends Sales Presentation 2010
lincolng
 
TP564_DriveTrust_Oct06
Tyson Supasatit
 
Symantec Backup Exec 2014 licensing guide
Symantec
 
Nexsan products overview / Nexsan perspectiva de productos
Suministros Obras y Sistemas
 
Returnil 2010
Rose Banioki
 
2018 Infortrend All Flash Arrays Introduction (GS3025A)
infortrendgroup
 
recovery-series-family-datasheet 2015
Michael Standen
 
Configuring a highly available Microsoft Exchange Server 2013 environment on ...
Principled Technologies
 
Unitrends Sales Presentation 2010
lincolng
 

What's hot (20)

PDF
Date Guard Remote Backup
Thecus Technology Corp.,
 
PPTX
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Jaroslav Prodelal
 
DOCX
Raid the redundant array of independent disks technology overview
IT Tech
 
PDF
E56576 01
Wilfred Mbithi Luvai
 
PPTX
Introduzione alla nuova famiglia di NAS SnapServer
Paolo Rossi
 
PDF
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
EMC
 
PDF
it's time for data recovery company to upgrade your imaging tool
king
 
PDF
Field installation guide-v3_1
Ganesh Joshi Regmi
 
PDF
M sata raid_adaptec
laonap166
 
PDF
SafePeak Installation guide
Vladi Vexler
 
PPS
RAID
Mukesh Tekwani
 
PDF
Backup of Data Residing on DSS V6 with Backup Exec
open-e
 
DOCX
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
ginniapps
 
PDF
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
NETWAYS
 
PDF
Power vault md32xxi deployment guide for v mware esx4.1 r2
laurentgras
 
PDF
ProServer - Direct network attached CD / DVD Server and Loader
Prime Array
 
PPTX
Raid technology
CHANDAN KUMAR
 
PDF
Dataguard first apply patch
Palash Sarkar
 
PDF
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
MaychuDelltphcm
 
PDF
ESM Installation Guide (ESM v6.9.1c)
Protect724tk
 
Date Guard Remote Backup
Thecus Technology Corp.,
 
Webinář: Provozujte datacentrum v kanceláři (Dell VRTX) / 5.9.2013
Jaroslav Prodelal
 
Raid the redundant array of independent disks technology overview
IT Tech
 
E56576 01
Wilfred Mbithi Luvai
 
Introduzione alla nuova famiglia di NAS SnapServer
Paolo Rossi
 
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
EMC
 
it's time for data recovery company to upgrade your imaging tool
king
 
Field installation guide-v3_1
Ganesh Joshi Regmi
 
M sata raid_adaptec
laonap166
 
SafePeak Installation guide
Vladi Vexler
 
RAID
Mukesh Tekwani
 
Backup of Data Residing on DSS V6 with Backup Exec
open-e
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
ginniapps
 
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
NETWAYS
 
Power vault md32xxi deployment guide for v mware esx4.1 r2
laurentgras
 
ProServer - Direct network attached CD / DVD Server and Loader
Prime Array
 
Raid technology
CHANDAN KUMAR
 
Dataguard first apply patch
Palash Sarkar
 
Lenovo-sr550-7x04a00gsg-data-sheet-ntm-jsc I Server Lenovo SR550 Datasheet
MaychuDelltphcm
 
ESM Installation Guide (ESM v6.9.1c)
Protect724tk
 
Ad

Similar to Nexsan_E-Series Encryption at Rest SED_US_Eng (20)

PDF
2. Asset Security
Sam Bowne
 
PDF
Product Manual Momentus 7200 Rpm Fde
harshadthakar
 
PDF
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
PDF
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
PPTX
Bit locker Drive Encryption: How it Works and How it Compares
Lumension
 
PDF
2016_Integral_Encrypted_USB_SSD_Brochure_UK
mfoudi
 
PDF
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
PDF
Improving data confidentiality in personal computer environment using on line...
Damir Delija
 
PPTX
Data At Rest Encryption
Steven Aiello
 
PDF
DataLocker_Data encryption software for IT companies
OmHota
 
PDF
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
PDF
Ldc
Akosenko
 
PPTX
What is hard drive encryption or full disk encryption?
UmerSiddiqui49
 
PPTX
Safend Solution Set
Randy Neish
 
PPTX
Safend Solution Set
Randy Neish
 
PPTX
Solid State Drives (SSDs) -What it Takes to Make Data Go Away
Blancco
 
PPTX
Secudrive
Insight Information Technology
 
PDF
Protect your critical business information with information security solution...
IBM India Smarter Computing
 
PDF
Protect your critical business information with information security solution...
IBM India Smarter Computing
 
PDF
ESI Recoveries from Solid State Drive Technology – New Challenges
DriveSavers Data Recovery
 
2. Asset Security
Sam Bowne
 
Product Manual Momentus 7200 Rpm Fde
harshadthakar
 
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
Bit locker Drive Encryption: How it Works and How it Compares
Lumension
 
2016_Integral_Encrypted_USB_SSD_Brochure_UK
mfoudi
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Improving data confidentiality in personal computer environment using on line...
Damir Delija
 
Data At Rest Encryption
Steven Aiello
 
DataLocker_Data encryption software for IT companies
OmHota
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
Ldc
Akosenko
 
What is hard drive encryption or full disk encryption?
UmerSiddiqui49
 
Safend Solution Set
Randy Neish
 
Safend Solution Set
Randy Neish
 
Solid State Drives (SSDs) -What it Takes to Make Data Go Away
Blancco
 
Secudrive
Insight Information Technology
 
Protect your critical business information with information security solution...
IBM India Smarter Computing
 
Protect your critical business information with information security solution...
IBM India Smarter Computing
 
ESI Recoveries from Solid State Drive Technology – New Challenges
DriveSavers Data Recovery
 
Ad

More from Deborah Lindquist (10)

PDF
Deborah Lindquist Resume_11_2016
Deborah Lindquist
 
PDF
UK_DE_Survey White Paper
Deborah Lindquist
 
PDF
TDK plastic bag concepts
Deborah Lindquist
 
PDF
RDX Pad Print Program
Deborah Lindquist
 
PDF
Nexsan_About Us Flyer
Deborah Lindquist
 
PDF
Nexsan Axle Flyer
Deborah Lindquist
 
PDF
Montreal posters 24x36_smaller
Deborah Lindquist
 
PDF
LINK paper bag
Deborah Lindquist
 
PDF
BBBB ad concepts
Deborah Lindquist
 
PDF
Deborah Lindquist Portfolio 2016
Deborah Lindquist
 
Deborah Lindquist Resume_11_2016
Deborah Lindquist
 
UK_DE_Survey White Paper
Deborah Lindquist
 
TDK plastic bag concepts
Deborah Lindquist
 
RDX Pad Print Program
Deborah Lindquist
 
Nexsan_About Us Flyer
Deborah Lindquist
 
Nexsan Axle Flyer
Deborah Lindquist
 
Montreal posters 24x36_smaller
Deborah Lindquist
 
LINK paper bag
Deborah Lindquist
 
BBBB ad concepts
Deborah Lindquist
 
Deborah Lindquist Portfolio 2016
Deborah Lindquist
 

Nexsan_E-Series Encryption at Rest SED_US_Eng

  • 2. WHITEPAPER 2 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) INTRODUCTION This paper describes the use-cases and implementation of self-encrypting drive (SED) support in the E-Series V software, implemented in version R011.1204 and later. SEDs can provide protection for data when drives leave the control of the user, whether intentionally or if stolen. As a consequence of encryption, data can also be securely erased in the event of repurposing of a drive or set of drives. OVERVIEW E-Series software supports SEDs to provide data-at-rest protection of user data on supported SAS HDDs or SSDs, once a drive has left the control of the user. This is enabled on a per-RAID set basis, and the complete system can include both SED and non-SED arrays. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. SED OVERVIEW SEDs are available from all major HDD and SSD vendors. A SED always performs encryption of all data as it is written to the media, regardless of any system or user involvement. At manufacturing time (or on demand) the drive creates a Data Encryption Key (DEK) that it stores internally to the drive, and it uses this key to encrypt and decrypt all data as it is written or read. By default, all SEDs operate identically to a non-SED drive, and can be used in non-SED mode. Since all encryption is handled in hardware, there is no performance impact to using the encryption feature. To use the drive in a secure mode, it is necessary to lock the drive. To do this, an Authentication Key (AK) is created by the drive management software (controller software in the case of E-Series V). This AK is used to encrypt the DEK, which is also typically changed at the time of locking. For more details on this process, refer to page 4.
  • 3. WHITEPAPER 3 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) USE CASES There are a number of common use cases for SEDs, all associated with protecting data in various situations. The most typical use cases are described below. All drives in an encrypted array must be SEDs. It is possible to enable or disable array encryption at any time, without affecting the user data on the system. PROTECTION OF DATA ON DRIVES RETURNED FOR RMA When drives fail in an array during the warranty period, they are typically returned to the manufacturer for replacement. Often, data is still present and recoverable on the drives. Even drives that have been used in a RAID level that uses striping can have significant amount of recoverable user data, since the large stripe sizes used are sufficient to contain large fragments of files or databases. If these drives are part of an encrypted array, then any data on them is not accessible without the key, which is not stored on the drive. Therefore access to the drive’s user data is prevented. PROTECTION OF DATA ON STOLEN DRIVES If one or more drives from an encrypted array are stolen, then any data on them is not accessible without the key, which is not stored on any of the drives. This prevents access to the user data. Note that physical or administrative access to the complete system including the controllers does not protect from unauthorized access, since the storage system controller automatically unlocks the drives once the system is powered on. Appropriate security practices must still be employed to secure data path access to the storage system. DRIVE RETIREMENT OR REPURPOSING If an encrypted array of drives is deleted, part of the deletion process ensures the drive’s encryption key (DEK) is changed. This immediately ensures that the contents of the drive cannot be read, and the drive can be safely repurposed or removed from the system with no risk of exposing previous user data. An individual unused drive can also have its encryption key (DEK) changed to perform a secure erase. Without SEDs, drive retirement can take a significant amount of time to overwrite the data, and there is no guarantee that all data is erased. Secure warehousing of the drive is expensive and means the drive cannot be reused and physical destruction before the end of its useful life is wasteful. SECURE SHIPMENT Company mergers and consolidation can often lead to a requirement to move storage systems between datacenters. This poses a challenge where confidential data is stored on the drives. Using SEDs, it is possible to securely ship the drives without using secure shipping solutions and incurring the associated additional shipment costs. To ensure security of the data if drives are stolen in transit, controllers that contain the keys must be shipped separately.
  • 4. WHITEPAPER 4 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) DRIVE UNLOCKING The diagram below illustrates the process of unlocking and accessing data on a locked SED. The E-Series software automatically unlocks an array when it is powered on, so no additional user interaction is required to use the array encryption functionality. The drive stores the encrypted copy of the DEK internally, and uses the AK to validate whether to unlock the drive. Once unlocked, the drive remains unlocked until it is powered off. Every time the system needs to unlock the drive, it must provide the AK. The AK can be changed at any time, and since it is only used to encrypt the DEK, the underlying data remains unaffected. For ease of management, the same AK may be used for a number of drives. The drive does not store the AK internally, it stores a hash of the AK to use for validation, and once the AK is validated, it uses the provided AK to decrypt the DEK. Yes No 3 Drive Remains Locked Encrypted DataDecrypt Ecryption Key Send Authentication Key to drive 2 Authenticated ? Clear Data 1 4 1. The controller sends the Authentication Key (AK) to the drive. 2. The drive hashes the authentication key and compares it with its stored hash to validate. 3. If the authentication is validated, the drive uses the provided authentication key to decrypt the DEK, stored on the drive media. 4. From this point, the drive automatically encrypts and decrypts all data passing through it. 1 2 3 4
  • 5. WHITEPAPER 5 Imation Corp. 1 Imation Way, Oakdale, MN 55128-3414 | p. 651.704.4000 f. 651.537.4675 | www.imation.com/nexsan © Imation Corp. Nexsan, the Nexsan logo, E-Series, FASTier, E-Centre and NestOS are trademarks of Imation Corp. All other trademarks are property of their respective owners. (Rev. 09/11/15) REFERENCES Trusted Computing Group (TCG) SED specifications: http://www.trustedcomputinggroup.org/solutions/data_protection ABOUT IMATION Imation is a global data storage and information security company. Imation’s Nexsan portfolio features solid-state optimized unified hybrid storage systems, secure automated archive solutions and high-density enterprise storage arrays. Nexsan solutions are ideal for mission-critical IT applications such as virtualization, cloud, databases, and collaboration; and energy efficient, high-density storage for backup and archiving. There are more than 11,000 customers of Nexsan solutions worldwide with more than 33,000 systems deployed since 1999. Nexsan systems are delivered through a worldwide network of cloud service providers, value-added resellers and solutions integrators. For more information, visit www.imation.com/nexsan. KEY GENERATION AND STORAGE The per-array authentication key (AK) is generated internally on the controller, and is stored in a private area on each controller. For redundancy, this is mirrored in the partner controller, so the system can automatically unlock the array in the event of controller failure. A replacement controller will automatically have the necessary keys installed. When an encrypted array is created or an array’s AK is changed, it is strongly recommended to download and make a backup of the key. This key should be securely stored in compliance with the user’s normal security practices, and a fresh backup made as it is changed. The AK can be changed at any time, if this is necessary for compliance with security practices. Whenever a key is created or changed, the user is prompted to download the key file for storage. Access to this file should be restricted to ensure the keys are kept private.