Infinidat utilizes disk encryption-at-rest for regulatory compliance, security audit readiness and other purposes.
Disk encryption-at-rest allows for data protection across all scenarios in which data that is stored in the disks is compromised due to disks removal from the site. With data encryption using AES256 and the ability to securely erase a disk, the risk of data exposure is eliminated.
The InfiniBox storage system can be set to run either with data-at-rest protection or without it. InfiniBox encryption-at-rest uses the standard method of encrypting data, so there is no performance penalty.
To benefit from this feature, your InfiniBox must be equipped with self-encrypting disks.
- SED - Self-encrypting drive. A drive that encrypts all its data all the time using an internal Encryption key. Access to the encrypted data is governed by the drive password (a.k.a. authentication key).
- Password - The string that unlocks a drive and allow IO. Often referred to as Authentication Keys or AK. Passwords are stored in the InfiniBox OS and are sent to the drives when needed. All passwords are saved in an encrypted form for security, and in 3 locations to avoid password corruption. Each drive has a unique key, generated from a seed using the Key Derivation Function or KDF.
- Encryption key - The binary key used to encrypt / decrypt the actual data. Often referred to as Data Encryption Key or DEK. The encryption key is stored inside the drive and never leaves it. InfiniBox uses 256 bit AES encrypted drives. The cipher for the key is XTS.
The key never leaves InfiniBox.
InfiniBox generates unique passwords per-drive and per-system so that different drives will always have different passwords.
This means that even in the theoretical case of a drive compromised, all other drives in the system remain secure.
- Drives are activated and authenticated upon any power loss.
- Activation and locking:
- The activation is performed by Infinidat Support
- InfiniBox creates passwords for all drives
- InfiniBox locks the drives
- InfiniBox unlocks the drives using the passwords (self-test)
- This task takes several minutes to complete and is done for one drive at a time
- Drive activation
- If the drive is already locked, InfiniBox replaces its password
- Hot upgrade is not affected by the encryption-at-rest feature