Follow

INFINIDAT utilizes data encryption-at-rest to increase the protection of data stored in InfiniBox.

Data encryption-at-rest allows for data protection across all scenarios in which data that is stored in the disks is compromised due to disks removal from the site. With data encryption using AES256 and the ability to securely erase a disk, the risk of data exposure is eliminated. 

The InfiniBox storage system can be set to run either with data-at-rest protection or without it. InfiniBox encryption-at-rest uses the standard method of encrypting data, so there is no performance penalty.
To benefit from this feature, your InfiniBox has to be equipped with self-encrypting disks.

Encryption-at-rest terminology

  • SED - Self-encrypting drive. A drive that encrypts all its data all the time using an internal Encryption key. 
  • Password - The string that unlocks a drive and allow IO. Often referred to as Authentication Keys or AKPasswords are stored in the InfiniBox OS and are sent to the drives when needed. All passwords are saved in an encrypted form for security, and in 3 locations to avoid password corruption.
  • Encryption key - The binary key used to encrypt / decrypt the actual data. Often referred to as Data Encryption Key or DEKThe encryption key is stored inside the drive and never leaves it. InfiniBox uses 256 bit AES encrypted drives.

Encryption-at-rest mechanism

InfiniBox infrastructure

  • InfiniBox generates unique passwords per-drive and per-system so that different drives will always have different passwords.
    This means that even in the theoretical case of a drive compromised, all other drives in the system remain secure.

  • Drives are activated once
  • Drives are authenticated upon any power loss.

Enabling SED

  • The feature is enabled by INFINIDAT Support
  • InfiniBox creates passwords for all drives
  • InfiniBox locks the drives
  • InfiniBox unlocks the drives using the passwords (self-test)
  • This task is non-disruptive to the InfiniBox operation, takes several minutes to complete and is done for one drive at a time

Drive activation

When a new drive is introduced to a SED-enabled InfiniBox system, InfiniBox unlocks the drive using the password that was created during SED enabling (see above).

  1. If the drive is unlocked
    1. InfiniBox creates a password, locks the drive and unlocks it (see above) and the drive state becomes Active
     
  2. If the drive is already locked 
    1. If InfiniBox provides the wrong password, the drive remains locked and has to be replaced
    2. If InfiniBox provides the correct password, the drive state becomes Active


Powering-up a SED enabled system

A SED-enabled system is powered up following an hot upgrade, or an emergency shutdown. InfiniBox treats the power-up similar to drive activation (all of the system drives are activated). See the section above for a detailed discussion of drive activation.

Note

Hot upgrade cannot take place amidst SED enablement, so as to avoid a situation in which during power-up, some drives are encrypted where other drives are not.

Hot upgrade

  • Hot upgrade is not affected by the encryption-at-rest feature



Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Comments