![]() ![]() The KMDB only stores the local drives' AKs in Gen 5 nodes and buddy node drives in Gen 6 nodes. The KM and KMDB are entirely secure and cannot be compromised because they are not accessible by any CLI command or script. For information about enabling the STIG hardening profile, see the PowerScale OneFS STIG security profile section Note : The key manager uses a FIPS-validated crypto when the STIG hardening profile is applied to the cluster. Using the KM and AKs ensures that the DEKs never leave the SED boundary, as required for FIPS compliance. For PowerEdge based nodes, the KMDB is stored in the trusted platform module (TPM). For Gen 6 Isilon nodes, the KMDB is stored in the node’s NVRAM, and a copy is placed in the buddy node’s NVRAM. Conversely, when a new SED is added to a node, OneFS automatically assigns a new AK.įor Gen 5 Isilon nodes, the KMDB is stored on both compact flash drives in each node. If an SED is removed from a node, OneFS automatically deletes the AK. If there is a drive theft from a PowerScale node, the data on the SED is useless because the MK, AK, and the DEK, are required to unlock the drive. The AK is unique to each SED and ensures that OneFS never knows the DEK. ![]() PowerScale OneFS releases before OneFS 9.2 retain the MK internally on the node. The MK is stored in a KMIP-compliant server. PowerScale OneFS release 9.2 supports an external key manager by using a key management interoperability protocol (KMIP)-compliant key manager server. The KMDB is encrypted with a 256-bit master key (MK), as shown in the following figure. Further preventing unauthorized access, the AKs for each drive are placed in a key manager (KM) that is stored securely in an encrypted database, the key manager database (KMDB). ![]() OneFS takes the standard SED encryption further by wrapping the DEK for each SED in an authentication key (AK). Data stored on the SEDs are encrypted and decrypted with a 256-bit data AES encryption key, referred to as the data encryption key (DEK). PowerScale OneFS provides DARE using SEDs, ensuring that data is encrypted during writes and decrypted during reads. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |