WHITE PAPER

DATA ENCRYPTION:
BEST PRACTICES FOR EDGE ENVIRONMENTS

INTRODUCTION security (virus scanning, firewalls), email spam

filtering, role-based access controls, better user
The news from the last few years is littered with education and having a well-defined patch
stories about security breaches from electronic management strategy. However, the most
point-of-sale malware attacks on large US effective way to protect and secure data is
retailers, leaked online credit card payment encryption. This will be the focus for the rest of
details, sensitive defense documents being this white paper.
published, to celebrity private photos being
stolen. WHAT IS ENCRYPTION?

It seems that the number of breaches and Encryption is the process of translating data
data leaks is rising year over year, with each from one form (plaintext) to another (ciphertext)
seeming to be bigger and more high-profile than - see fig. 1. It ensures that if the data falls into an
the previous one, resulting in more data and unauthorized party’s hands, the data cannot be
customer information being exposed. The data accessed without having the correct encryption
is either sold on the black-market/”dark web” keys to decrypt the data.
or published on the Internet to embarrass or
discredit a person or company. In some cases, Gartner defines encryption as, “the process of
this has resulted in hefty fines and financial systematically encoding a bit stream before
penalties for the companies involved. transmission so that an unauthorized party
cannot decipher it.” Data-at-rest encryption
The fact is that many of the
breaches can be attributed
to one or more of the
following, unauthorized
access (hacking), malware/
viruses exploiting security
holes from poor computer
maintenance (patching),
social engineering (email
scamming), and in some
cases hardware theft.

There are a number of

techniques that can
be used to protect the
data, such as endpoint Fig. 1 The process of encryption, from plaintext to ciphertext.

StorMagic. Copyright © 2020. All rights reserved.

 protects More industries will add encryption features for
data when protection against penalties and litigation, and
it is stored over time, encryption adoption will continue to
on disk and become more mainstream and horizontal rather
can be used than by vertical industry or geography.
to protect
data from WHERE TO ENCRYPT?
unauthorized
access or There are numerous ways of solving most IT
equipment theft. problems, and data encryption is no different.
For example, in the There are various points within an IT stack where
event of a server theft the encryption can be performed, as shown in
or disk failure, it would fig. 2. Each has its pros and cons with regards to
not be possible to access cost, complexity, and capacity.
the data as it is encrypted.
Failed disks can now be
disposed of, or replaced easily,
without the need for traditional
data destruction techniques
such as “degaussing” of magnetic
disks, physical destruction or “disk
scrubbing”.

WHO SHOULD ENCRYPT?

Some industries such as healthcare,

financial services, government and defense
have strict regulatory, risk or compliance
requirements that require data to be
encrypted. Common regulations include:

HIPAA Health Insurance Portability and

Accountability Act (US healthcare) Fig. 2 Where should you encrypt? The software-defined
FIPS 140-2 Federal Information Processing layer is often the best option.
Standard (US Defense, finance, healthcare)
GDPR General Data Protection Regulation (EU) Performing encryption higher up in the stack
DPB Data Protection Bill (UK) enables greater control of what is being
SOX Sarbanes-Oxley (Finance) encrypted. For example, it is possible to encrypt
PCI DSS Payment Card Industry Data Security a select number of virtual machines or specific
Standard (Finance) tables in a database. This approach can add
CCPA California Consumer Privacy Act complexity, as each application, filesystem,
or hypervisor will have different methods to
What becomes clear is that the number of perform the encryption, all of which need to be
regulations vary by geographic region and configured and managed differently.
industry, some are very prescriptive while others
less so. What unites all of them is, in the case of Encrypting at the hardware layer radically
a breach, all of these regulations carry a financial simplifies the solution, as all the data will be
penalty. Avoiding these penalties has been a encrypted, but this requires specialist hardware.
major contributor in the increased interest and This could mean self-encrypting drives (SEDs) or
spending on data encryption solutions. encryption-capable RAID controller cards while
other solutions may rely on bespoke hardware

StorMagic. Copyright © 2020. All rights reserved.

 HOW DOES GARTNER DEFINE ENTERPRISE KEY MANAGEMENT?
“Enterprise key management (EKM) provides a single, centralized software or
network appliance for multiple symmetric encryption or tokenization cryptographic
solutions. Critically, it enforces consistent data access policies through encryption
and tokenization management. It also facilitates key distribution and secure key
storage, and maintains consistent key life cycle management.”

acceleration cards to perform the encryption KEY MANAGEMENT INTEROPERABILITY

operations. All these can add significant cost PROTOCOL (KMIP)
to the solution and create lock-in to a specific
hardware encryption solution. Today, all KMS solutions use the Key
Management Interoperability Protocol
StorMagic has seen that many end users want (KMIP). This is a single, standard protocol for
to just ‘blanket’ encrypt all their data rather communication between KMS and encryption
than select which data needs securing. They solutions, such as storage arrays, tape libraries,
want a simple solution that does not require self-encrypting drives (SEDs) and networking
individual encryption for each application, VM or equipment.
filesystem. Furthermore, they want to do it with
the equipment they already have and not incur Prior to KMIP, each vendor would have their own
any additional costs purchasing encryption- methods of encryption leading to multiple key
capable hardware. Therefore, the most effective management solutions being used, increasing
place to perform encryption would be in the management overhead.
software-defined storage stack. This would allow
the end users to select some or all volumes that
KEY CRITERIA FOR SELECTING YOUR
require encryption using the same hardware-
agnostic mechanism for all data, irrespective of ENCRYPTION SOLUTION
application, filesystem or operating system.
It should employ industry-standard, ultra-
secure cryptographic algorithms to encrypt
KEY MANAGEMENT REQUIREMENTS the data.
It should use the CPU AES-NI encryption
Once the encryption algorithm performs the
instructions to provide hardware acceleration
conversion of plaintext data into an encrypted
that significantly improves encryption
form using a key, there then arises the equally
performance.
important topic of key management. In
It should be hardware-agnostic and should
general, key management provides a secure,
not require expensive special hardware, such
highly available place to store and manage the
as self-encrypting drives (SEDs), ASICs, FPGAs
cryptographic keys.
or cryptographic capable RAID controllers to
perform the encryption operations.
Availability is the most important requirement
It should be KMIP-compliant, providing
of key management. Without access to the
interoperability with industry-leading KMS
keys, the data will not be accessible. Therefore,
solutions.
it is highly recommended to have at least two
It should encrypt data on a per volume
or possibly more key management servers to
granularity and provide the ability to select
ensure keys are always available. Ideally each key
some or all of the data to encrypt.
management system (KMS) would be installed in
a different location or datacenter to ensure that
a power outage, flooding, fire or other localized
disaster does not interrupt availability.

StorMagic. Copyright © 2020. All rights reserved.

 STORMAGIC SvSAN DATA ENCRYPTION KEY MANAGEMENT SERVER FAILURE
SCENARIOS
As a simple, cost-effective and flexible virtual
SAN solution, StorMagic SvSAN also brings these Knowing that an encryption solution is secure,
fundamentals into the encryption space through reliable and resilient is fundamental for data
its data encryption feature. When added to security. This section describes different failure
SvSAN, the solution provides lightweight, highly scenarios that may impact SvSAN’s data
available encrypted storage on as few as two encryption feature and explains the expected
nodes per cluster. behavior during failure and subsequent recovery.

SvSAN’s data encryption feature delivers ultra- The scenarios are as follows:
secure encryption using a FIPS 140-2 compliant 1. Normal running state
algorithm and meets HIPAA, PCI DSS and SOX 2. Single KMS server becomes unavailable
requirements. It does not require special self- 3A. All KMS servers in a cluster are unavailable
encrypting disk drives, RAID cards or FPGA/ASICs - VSA online
and has the flexibility to encrypt all mirrored data, 3B. All KMS servers in a cluster are unavailable
or just selected volumes. The data is encrypted - VSA offline or rebooted
in-flight, before it is written to disk. 4. Key revoked/deactivated

Available as an additional feature on top of the SCENARIO 1:

base SvSAN license, SvSAN’s data encryption NORMAL RUNNING STATE
feature enables organizations to securely
protect data at edge locations where data and Fig. 3 shows a typical two node SvSAN cluster,
IT hardware are much more vulnerable. Data connected to another cluster running KMS VMs.
encryption can be added to new and existing While the KMS could be located remotely, within
SvSAN licenses. For more information on how a datacenter and/or cloud, this is the optimal
to enable encryption on your SvSAN clusters, configuration when the KMS is located locally to
please contact sales@stormagic.com. the encrypted cluster. It provides an adequate
level of security by separating the keys from the
STORMAGIC SvKMS ENCRYPTION KEY encrypted data. In this instance:
MANAGEMENT
All key servers in the KMS cluster are online.
SvSAN hosts are online and healthy.
To enable secure and effective key management
All volumes are in a healthy state.
when using SvSAN’s data encryption feature, use
StorMagic SvKMS encryption key management.
When the SvSAN VSAs are powered on they will
SvKMS provides extremely flexible key
obtain the encryption keys from the KMS cluster,
management, enabling an organization to store
and volumes will be brought online allowing
keys locally, in the datacenter or cloud and
normal read/write access.
integrate with any existing workflow.

SvKMS is a separately licensed product to SvSAN While the connection state to the KMS cluster
is good, SvSAN will recheck the connection to
and the two can be used independently of each
the KMS cluster every 5 minutes.
other. For more information on SvKMS, please
If there is an issue with this connection and
refer to the SvKMS product data sheet.
the VSA can no longer contact the KMS cluster
Furthermore, if your organization is already using it will recheck the connection to the KMS every
an existing KMS solution, providing it is KMIP- minute.
compliant, SvSAN’s data encryption feature is If unable to establish connectivity to the KMS
the VSAs will trigger an event.
already fully compatible and can be integrated
with it immediately.

StorMagic. Copyright © 2020. All rights reserved.

 SCENARIO 2:
SINGLE KMS SERVER BECOMES UNAVAILABLE

Fig. 4 shows the same two clusters - one for

SvSAN and one for the KMS. In this scenario,
one of the KMS servers has failed. As the
remaining KMS is still online and available to
the SvSAN cluster:

The VSAs continue to operate without

impact to data availability.
Storage will remain accessible and the
encryption keys can still be obtained from
the surviving KMS, in the event of a VSA
reboot.

SCENARIO 3A:
ALL KMS SERVERS IN A CLUSTER ARE
UNAVAILABLE - VSAs ONLINE

In this scenario, shown in fig. 5, all the KMS

Fig. 3 A separate KMS cluster communicating using KMIP servers have failed, but the SvSAN cluster is
to an encrypted SvSAN cluster. operational.

While the VSAs remain online the volumes

will be available and online. See Scenario
3B for when the VSAs are rebooted/
powered down.
SvSAN will check the connection state to
the KMS every minute.
On a successful connection to the KMS, an
event is logged and System Status returns
to normal.

SCENARIO 3B:
ALL KMS SERVERS IN A CLUSTER ARE
UNAVAILABLE - VSAS OFFLINE OR REBOOTED

In this scenario, all the KMS servers have

failed (as in fig. 5) and the VSA has been
rebooted or was powered down.

When a VSA is rebooted or powered

on, the VSA will attempt to retrieve the
encryption keys at startup.
As there are no key management servers
available, the VSA will be unable to obtain
the encryption key for the volumes.
An event will be generated and displayed
Fig. 4 A single KMS server is unavailable. in the SvSAN WebGUI, shown in fig. 6. It
should be noted that events can also be
propagated to vCenter, and via remote
syslog, SNMP and email using SMTP.

StorMagic. Copyright © 2020. All rights reserved.

 The volume will enter an “Offline (Locked)”
state and events will be triggered from the
VSA to alert the administrator, shown in fig.
7.

Recovery:

The VSA will continue to check the

connection to the KMS server every minute
When the connection to the KMS has been
re-established, an event is logged as shown
in fig. 8.
The volume will return to the “Online” state,
and the system status returns to normal.
No administrative intervention is required to
bring the storage back online.

SCENARIO 4:
KEY REVOKED/DEACTIVATED

When the encryption keys are revoked on

the KMS server, the VSA will keep its storage
online and accessible until it is rebooted.
Fig. 5 All KMS servers have failed.

On reboot of the VSA, SvSAN will try to

retrieve the encryption keys from the
KMS server. The VSA will fail to obtain the
encryption key, as it has been revoked.
When the encryption keys have been
An event will be generated and
revoked or deactivated for a target, it is
the volume will be held in the “Offline
still possible to perform rekey and decrypt
(Locked)” state. The VSA system status will
operations.
change to “Error”.

Fig. 6
Error displayed in the WebGUI.

Fig. 7
Volume in “Offline (Locked)” state.

Fig. 8
Events logged in the WebGUI.

StorMagic. Copyright © 2020. All rights reserved.

 CONCLUSIONS FURTHER READING

SvSAN’s data encryption feature has been Visit the StorMagic website to read more about
developed to provide ultra-secure FIPS 140- StorMagic’s virtual SAN solution SvSAN and
2 compliant encryption and the flexibility to encryption key management software SvKMS.
work with any KMIP-compliant key manager, Why not explore some of the others, such as
including StorMagic SvKMS. SvSAN is resilient Predictive Storage Caching, or the witness?
and flexible enough to be deployed at remote These features and more can be accessed
and edge sites, enabling safe, secure data through the extensive collection of white
encryption alongside highly available storage. papers on the StorMagic website.
The process of installing and deploying SvSAN is
straightforward enough to ensure data can begin Additional details on SvSAN are available in the
to be encrypted within 15 minutes. As shown Technical Overview which details SvSAN’s
through the scenarios in this white paper, SvSAN capabilities and deployment options.
handles many common failures of a remote
KMS cluster, and endeavors to keep the volumes If you’re ready to test SvSAN or SvKMS in your
online and protected, providing peace of mind. environment, you can do so totally free of
charge, with no obligations. Simply download
a fully-functioning free trial of both products
from the website.

If you still have questions, or you’d like a demo

of SvSAN or SvKMS, you can contact the
StorMagic team directly by sending an email to
sales@stormagic.com

StorMagic
Unit 4, Eastgate
Office Centre
Eastgate Road
Bristol
BS5 6XX
United Kingdom

+44 (0) 117 952 7396

sales@stormagic.com

www.stormagic.com

StorMagic. Copyright © 2020. All rights reserved.