Paul Frisoli

Encryption at Rest Information and GUI Setup

Blog Post created by Paul Frisoli Employee on Jan 26, 2016

Encryption of Data at Rest

 

You can enable or disable encryption as required for your environment. By default, encryption is disabled. After upgrading to version 2.3 or later, you can enable encryption. Before you can create encrypted volumes, you must perform an initialization step that creates the master key. The master key protects the keys that are used to encrypt volume data. The master key is protected by a passphrase that is specified when creating the master key. At times, it will be necessary to enter the passphrase to enable access to encrypted volumes. 

The encryption state of a volume is established when the volume is created, and cannot be changed afterwards. Cloned volumes inherit the encryption state of their parent. The group configuration contains a default encryption cipher setting, which is either "none" (no encryption), or "aes-256-xts" in the command line interface (CLI) and AES-256-XTS in the Nimble Storage GUI. (The aes-256-xts encryption algorithm is specifically designed for use in encrypting storage.) The group configuration also contains an encryption scope, which specifies where the default cipher can be changed. If the scope setting is "group," then the setting is enforced during volume creation and cannot be changed. If the scope setting is "volume," then the setting for individual volumes can be changed at creation time, but not thereafter. 

The group configuration contains an encryption mode setting that defines behavior on system restarts. The value can be set to "secure" or "available." In secure mode, the encryption passphrase must be entered every time the group leader array is restarted to unlock the master key. In available mode, enough information is stored in non-volatile memory to recover the master key without entering the passphrase. The information is not stored on disk. Available mode is provided for convenience in situations where the physical security of the array is unlikely to be compromised.

 

Caution

• If you lose the passphrase for the master key, data in encrypted volumes cannot be retrieved. Store the passphrase in a secure, accessible place.

• If your encryption requirement changes after creating a volume, you cannot change its encryption status. You can create a new volume with the encryption status that you need, and migrate the data to the new volume.

• Performance on CS2xx arrays is slow when accessing encrypted volumes.

 

Enable Encryption Using the GUI

 

You must have Administrator privileges to change the encryption configuration.

1 Choose Administration > Security > Encryption.

2 Complete the fields as needed for your environment.

 

Passphrase

When initially enabling encryption, enter a passphrase value of any printable characters with a length between 8 and 64 characters, inclusive, and then confirm your entry. Printable characters are English-language alphanumeric characters, spaces, and special characters. Foreign-language characters are not supported. You can optionally select the option to show the characters as you type so that you can verify entering the same value in both fields. 

Note After you save the initial configuration, you can change the passphrase value by clicking the Modify Passphrase button. You must know the current value to modify the value.

System Startup Mode

Select whether administrators or operators must enter the passphrase for encrypted volumes when the array restarts.

• Enabling Secure mode requires passphrase entry every time the group leader array restarts. Secure mode is useful if you move the array from one location to another or if the array is stolen. Because only authorized personnel know the passphrase, data

  is inaccessible without knowing the passphrase.

• Enabling Available mode does not require passphrase entry every time the group leader array restarts. Available mode is useful in physically secured and lights-out data centers.

 

Default Setting

select "Enable encryption on newly created volumes (Cipher: AES-256-XTS)" to enable encryption by default when authorized users create volumes. Deselect this option to create unencrypted volumes by default.

 

Scope Select where and how to apply the encryption Default Setting.

• Force the default setting to be applied to all new volumes in the group means that when authorized users create volumes, encryption is enabled or disabled based on whether encryption is enabled or disabled for the Default Setting. Users cannot override the Default Setting when creating volumes.

• Allow overriding the default setting on a per-volume basis means that when authorized users create volumes, the Default Setting is applied, but it can be changed. For example, if you choose to enable encryption by default, then an authorized user can

  choose not to encrypt a new volume when creating it.

 

3 When prompted to save your passphrase in a secure place, read the message and click I accept to acknowledge that you understand the ramifications of a lost passphrase and to save the encryption settings.


Based on your selections for Default Setting and Scope, volumes that authorized users create after enabling encryption are either automatically encrypted or can be encrypted on a case-by-case basis.

  Note Volumes that were created in Nimble versions earlier than version 2.3.x are not encrypted and cannot be edited to be encrypted. The encryption state specified when creating a volume cannot be changed for the life of that volume.


Note: This information references the Nimble GUI process. If you require CLI process, please reference the Security chapter in the Admin Guide

Outcomes