Nimble OS 2.3 – Implementing SmartSecure Encryption at Rest

Blog Post created by rfenton Employee on Jul 23, 2015

By Rich Fenton


Following Jeff Feierfell’s excellent blog of our SmartSecure Encryption of Data at Rest , I thought I would provide some ‘meat on the bone’ to what it actually looks like within the Nimble OS web GUI.

We should start by pointing out that SmartSecure requires no license key (Nimble has no licensed features) therefore once you upgrade to 2.3.x then your array (even older legacy Nimble platforms) will be able to enable the encryption feature.  In addition, SmartSecure requires no additional dedicated infrastructure!  Many storage vendors require a separate pool of storage (or even a dedicated array to turn on Encryption).   Within Nimble OS it’s a software feature that is applied on a per-volume basis (or if required the entire Nimble group can be encrypted).

In order to access SmartSecure encryption, you must firstly perform a non-disruptive upgrade to Nimble OS 2.3.x.  Once completed, you will see there is a new capability with the Administration > Security options to add Encryption.


Setting up SmartSecure Encryption on your Nimble Group


Configuring SmartSecure encryption is effortlessly simple, firstly you have to enable it by selecting the checkbox and by providing (and confirming) you Encryption Passphrase.  This is the key that is used to derive a unique encryption key for each volume.


Gotcha: It is essential that you keep this phrase safe as it will be potentially needed in the future, depending on how you configure encryption in some later steps.

Next, we have some additional configuration options on how we wish SmartSecure encryption to function within the Nimble Group:


System Startup Mode

This defines how the system behaves should it powered off and restarted for some reason. 


Available - the array operates as normal, in that on a system restart all volumes are accessible as they would be on normal array restart.


Secure - when the array powers on, any volume that is encrypted is not available until the passphrase is provided.   This is to ensure if the array is physically compromised (within the datacenter or whilst in transit) then protected data is protected to only a administrator who has the passphrase.    It is for this reason that having the passphrase is essential.



Default Setting - dictates whether SmartSecure encryption is enabled by default ever ytime on newly created volumes.

Scope - allows the user to choose to force that every volume in the array should be encrypted or allow it to be a selectable feature when volumes are created.




Gotcha: Existing volumes cannot be encrypted post-creation, to encrypt the data on an existing volume you will need to create a new encrypted volume and then migrate data to that volume.


Creating a Volume with SmartSecure Encryption

Creating a volume with encryption is effortless.  Simply create a volume as you would do with any new volume and you will now see an Enable Encryption checkbox, simply select it to encrypt the volume. 



Of course if you've been following the 2.3 blog series then you would be aware that the new vSphere Web Plugin supports encryption as well, that is also true for the thick client:


Viewing a Volume that is encrypted

You will notice that from the volumes page there is not a way to view which volumes are encrypted and which ones are not (by using a different icon).   This was a design decision from our User Experience design team to not show which volumes are encrypted to avoid them from being a targeted volume. 


However, drilling down to the details of the volume show that the volume is indeed encrypted:


SmartReplicate and SmartSecure

Finally, if you're utilising SmartReplicate replication between two arrays, then clearly they both have to have SmartSecure encryption enabled in order for encrypted volumes to be replicated.  Of course blocks sent in flight will be encrypted securing the data and the transmission.


The following video walks you through a basic demonstration of setting SmartSecure Encryption on a Nimble group and enabling it on a newly created volume, (please note there is no sound on this video):



Please feel free to ask any questions or make any comments below!