DELL EMC POWERSCALE ONEFS DATA-AT-REST ENCRYPTION - ABSTRACT
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Technical White Paper
Dell EMC PowerScale OneFS Data-at-Rest
Encryption
Abstract
Dell EMC PowerScale OneFS provides support for Data-at-Rest Encryption
through self-encrypting drives and a key management system.
June 2021
H17923.4
Revisions
Revisions
Date Description
August 2019 Initial release
October 2019 Minor updates
March 2020 Updated ‘Note’ in ‘Data-at-rest encryption’ section.
May 2020 Updated template and ‘Isilon’ to ‘PowerScale’ branding.
August 2020 Updates to FIPS certificate section and other minor updates.
February 2021 Minor updates
May 2021 Updated for OneFS version 9.2
June 2021 Minor formatting update
Acknowledgements
This paper was produced by the following:
Author: Aqib Kazi
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
This document may contain certain words that are not consistent with Dell's current language guidelines. Dell plans to update the document over
subsequent future releases to revise these words accordingly.
This document may contain language from third party content that is not under Dell's control and is not consistent with Dell's current guidelines for Dell's
own content. When such third party content is updated by the relevant third parties, this document will be revised accordingly.
Copyright © 2021 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell
Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. [6/4/2021] [Technical White Paper] [H17923.4]
2 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4
Table of contents
Table of contents
Revisions ..................................................................................................................................................................... 2
Acknowledgements ...................................................................................................................................................... 2
Table of contents ......................................................................................................................................................... 3
Executive summary...................................................................................................................................................... 4
1 Data-at-rest encryption .......................................................................................................................................... 5
2 Self-encrypting drives ............................................................................................................................................ 6
3 PowerScale OneFS encryption .............................................................................................................................. 7
4 External key manager ............................................................................................................................................ 8
4.1 Requirements ............................................................................................................................................... 8
4.1.1 KMIP and PowerScale tested compatibility ................................................................................................... 8
4.2 Configuration ................................................................................................................................................ 9
5 SEDs cryptographic erasure ................................................................................................................................ 12
5.1 Confirming a SED is in the ‘Replace’ state .................................................................................................. 12
5.1.1 After a node SmartFail................................................................................................................................ 12
5.1.2 Check by drive ........................................................................................................................................... 13
5.2 Cryptographic erasure after the SmartFail ‘Erase’ state .............................................................................. 13
5.3 PowerScale cluster cryptographic erasure .................................................................................................. 14
5.4 PowerScale node cryptographic erasure..................................................................................................... 14
6 Common SED concerns ...................................................................................................................................... 15
6.1 Data recovery from a defective or inaccessible SED drive .......................................................................... 15
6.2 SED performance....................................................................................................................................... 15
6.3 SED formatting ........................................................................................................................................... 15
7 FIPS 140-2 Certification ....................................................................................................................................... 16
7.1 PowerScale SED certificates ...................................................................................................................... 16
A Technical support and resources ......................................................................................................................... 17
A.1 Related resources ...................................................................................................................................... 17
3 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4
Executive summary
Executive summary
Data-at-rest encryption (DARE) is a requirement for federal and industry regulations ensuring data is
encrypted when it is stored. PowerScale OneFS provides DARE through self-encrypting drives and a key
management system. The data on SEDs is encrypted, and the data may not be accessed if the SED is stolen
or removed from the cluster.
4 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4
Data-at-rest encryption
1 Data-at-rest encryption
Data-at-rest is inactive data that is physically stored on persistent storage. Encrypting data at rest with
cryptography ensures that the data is protected from theft, in the event drives or nodes are removed from a
PowerScale cluster. Compared to data-in-motion, where data must be reassembled as it traverses network
hops, data-at-rest is of particular interest to malicious parties as the data is a complete structure. The files
have names and require less effort to understand versus smaller packetized components of a file.
However, extracting data from a drive in a PowerScale cluster is not a straight-forward process even without
encryption, as OneFS stripes data across nodes. Each data stripe is composed of data bits. Reassembling a
data stripe requires all of the data bits and the parity bit.
PowerScale implements Data-at-Rest Encryption (DARE) through the use of self-encrypting drives (SEDs)
and AES-256-bit encryption keys. The algorithm and key strength meet the National Institute of Standards
and Technology (NIST) standard and FIPS compliance. The OneFS management and system requirements
of a DARE cluster are no different than standard clusters.
Note: It is recommended that a PowerScale DARE cluster be composed of only SED nodes. However, a
cluster composed of SED nodes and non-SED nodes is supported during a transition to an all SED cluster.
Once a cluster contains a SED node, only SED nodes may be added to the cluster.
5 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4
Self-encrypting drives
2 Self-encrypting drives
Self-encrypting drives (SEDs) are a type of hard drive that provide full disk encryption through onboard drive
hardware. Additional hardware external to the drive is not required to encrypt the data on the drive. As data is
written to the drive, it is automatically encrypted, and data read from the drive is decrypted. The encryption
and decryption process are controlled by a chipset within the drive. An onboard chipset allows for a
transparent encryption process as system performance is not impacted, providing enhanced security, and
eliminating dependencies on system software.
When access is controlled by the drives’ onboard chipset, this provides security in the event of theft or a
software vulnerability, as the data remains only accessible through the drive’s chipset. At initial setup, a SED
creates a unique and random key for encrypting data during writes and decrypting data during reads. This key
is referred to as the Data Encryption Key (DEK), ensuring data on the drive is always encrypted. Each time
data is written or read from the drive, the DEK is required to encrypt and decrypt the data, as illustrated in
Figure 1. If the DEK is not available, data on the SED is not accessible, making all data on the drive useless.
SED Data Encryption Key
6 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4PowerScale OneFS encryption
3 PowerScale OneFS encryption
PowerScale OneFS provides data-at-rest encryption using SEDs, ensuring data is encrypted during writes
and decrypted during reads. Data stored on the SEDs are encrypted and decrypted with a 256-bit data AES
encryption key, referred to as the Data Encryption Key (DEK). OneFS takes the standard SED encryption
further as the DEK for each SED is wrapped in an Authentication Key (AK). Further preventing unauthorized
access, the AKs for each drive are placed in a Key Manager (KM), stored securely in an encrypted database,
the Key Manager Database (KMDB). The KMDB is encrypted with a 256-bit Master Key (MK), as illustrated in
Figure 2.
PowerScale OneFS release 9.2 supports an external key manager by utilizing a Key Management
Interoperability Protocol (KMIP) compliant key manager server. The MK is stored in a KMIP compliant server.
PowerScale OneFS releases prior to OneFS 9.2 retain the MK internally on the node.
PowerScale Master Key
The AK is unique to each SED and ensures OneFS never knows the DEK. In the event of drive theft from a
PowerScale node, the data on the SED is entirely useless, as the MK, AK, and consequently, the DEK, are
required to unlock the drive. If a SED is removed from a node, OneFS automatically deletes the AK.
Conversely, when a new SED is added to a node, OneFS automatically assigns a new AK.
For Gen 5 Isilon nodes, the KMDB is stored on both compact flash drives in each node. For Gen 6 Isilon
nodes, the KMDB is stored in the node’s NVRAM, and a copy is placed in the buddy node’s NVRAM. For
PowerEdge-based nodes, the KMDB is stored in the Trusted Platform Module (TPM). Utilizing the KM and
AKs ensures the DEKs never leave the SED boundary, as required for FIPS compliance.
Note: The Key Manager uses a FIPS-validated crypto when the STIG hardening profile is applied to the
cluster. For information on enabling the STIG hardening profile, refer to the Dell EMC PowerScale OneFS
STIG Security Profile whitepaper.
The KM and KMDB are entirely secure and cannot be compromised, as they are not accessible by any CLI
command or script. The KMDB only stores the local drives' AKs in Gen 5 nodes, and buddy node drives in
Gen 6 nodes. On PowerEdge-based nodes, the KMDB only stores the AKs of local drives. The KM also uses
its encryption so that the AKs are not stored in plain text.
7 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4External key manager
4 External key manager
PowerScale OneFS release 9.2 provides support for an external key manager by storing the 256-bit Master
Key (MK) in a Key Management Interoperability Protocol (KMIP) compliant key manager server. This section
provides the configuration steps for brownfield and greenfield clusters with SEDs. Although the configuration
in this section explains how to migrate keys to an external key manager, OneFS also supports a reverse
migration.
4.1 Requirements
In order to store the MK on a KMIP server, PowerScale requires the following:
• OneFS release 9.2 (or greater) cluster with SEDs
• KMIP compliant server:
- KMIP version 1.2 or greater
- KMIP Storage Array with SEDS Profile Version 1.0 or greater
- KMIP server host/port information
- X.509 PKI for TLS mutual authentication
> Certificate authority bundle
> Client certificate and private key
• NANON (Not All Nodes On Network) and NANOAN (Not all Nodes On All Networks) clusters are not
supported
• Network connectivity from each node in the cluster to the KMIP server. For SED drives to be
unlocked, each node in the cluster contacts the KMIP server at bootup to obtain the MK from the
KMIP server. Otherwise, the node bootup fails.
• Administrator privilege: ISI_PRIV_KEY_MANAGER
4.1.1 KMIP and PowerScale tested compatibility
PowerScale OneFS has tested and confirmed compatibility with the following KMIPs:
• Thales KeySecure
• Thales e-Security keyAuthority
• IBM Secure Key Lifecycle Manager (SKLM)
• Dell EMC CloudLink Center
Note: PowerScale OneFS uses the Dell Key Trust Platform as the client for establishing connectivity to the
KMIP server. Other KMIP platforms that are compatible with the Dell Key Trust Platform should also be
compatible with OneFS. Additionally, PowerScale OneFS should be compatible with KMIP platforms that
meet the requirements in Section 4.1, Requirements.
8 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4External key manager
4.2 Configuration
Once the requirements above are met, to configure the external key manager, perform the following:
1. Copy the KMIP Server and Client Certificates to the cluster. Make a note of the file names and
location.
2. From the OneFS web interface, select Access > Key Management as illustrated in Figure 3.
Alternatively, from the OneFS CLI, utilize: isi keymanager kmip servers create
Key Management
3. From the Key Management page, click the Key Server tab. Check the “Enable Key Management”
box. Enter the KMIP “Server Host” and “Server Port” information. Specify the filename and location of
the “Server Certificate” and “Client Certificate” locations. If the KMIP server has a client certificate
password, specify this in the “Client Certificate Password” field and click Submit, as illustrated in
Figure 4. Alternatively, from the CLI, utilize the --host, --id, --ca-cert-path, --client-
cert-path, and --set-client-cert-password options.
Key Management Server Information
9 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4External key manager
4. OneFS contacts the KMIP and confirms the connection or displays any errors, as illustrated in Figure
5.
Key Management confirmation
5. Once the KMIP server is added, the keys can now be migrated. Click the Keys tab to display all
current Master Keys on the cluster. Click on Migrate all to migrate the keys to the KMIP server. From
the “Migrate all” pop-up, click Migrate to start the migration, as illustrated in Figure 6. Alternatively,
from the CLI, utilize the isi keymanager sed migrate server command.
Master Key migration
6. The key migration process may take several minutes or more to complete depending on the cluster
and network utilization. During this time, a “Migration in process” message is displayed, as illustrated
in Figure 7. Alternatively, from the CLI, utilize the isi keymanager sed status command.
Migration in process
10 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4External key manager
7. Once the process is complete, a “Migration Successful” message is displayed, and the “Status” for
each “Key ID” is “Migrated,” as illustrated in Figure 8. Alternatively, from the CLI, utilize the isi
keymanager sed status command.
Migration Successful
11 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4SEDs cryptographic erasure
5 SEDs cryptographic erasure
During the decommissioning of a PowerScale node or during a drive replacement, a common concern with
SEDs is confirming they are cryptographically erased. Cryptographically erasing a SED is completed by
running SmartFail on a PowerScale node or drive.
During the SmartFail process, OneFS issues a command to reset the DEK and delete the AK,
cryptographically erasing the drive.
If a SED is SmartFailed and in the ‘Replace’ state, it has been cryptographically erased. On the contrary, if a
drive failure occurs and is in the ‘Erase’ state, the data was not cryptographically erased. However, even in
the ‘Erase’ state, the data is completely inaccessible.
During the SmartFail process, to ensure data on a SED is unreadable, OneFS completes at least one of the
following:
• In a successful SmartFail condition, OneFS cryptographically erases data by changing the DEK and
blocks read/write access to existing data by deleting the AK in OneFS.
• In a partially successful SmartFail condition, the drive is failing to respond to SCSI commands. In this
case, OneFS cannot cryptographically erase the data. However, read/write access to existing data is
blocked by deleting the AK in OneFS.
The explanation of each SmartFail state is summarized in Table 1.
SED SmartFail States
DEK Erased and AK Erased and Cryptographic
SmartFail State Data Inaccessible
Reset Reset Erasure
Replace ✓ ✓ ✓ ✓
Erase ✓ ✓
5.1 Confirming a SED is in the ‘Replace’ state
As explained above, OneFS attempts to place each SED into the ‘Replace’ state. This section explains how to
confirm the SED is in the ‘Replace state.
5.1.1 After a node SmartFail
When a node completes the SmartFail process, it reboots to the configuration wizard. At this point, break out
of the wizard and check the /var/log/isi_sed log.
The log contain a ‘release_ownership’ message for each drive as it goes through the SmartFail process,
confirming it is in a ‘REPLACE’ state, as displayed in the following snippet:
2019-01-15T22:45:56Z H400-SED-4 isi_sed[63658]: Command:
release_ownership, drive bays: 1
2019-01-15T22:46:39Z H400-SED-4 isi_sed[63658]: Bay 1: Dev da1, HITACHI
H5SMM328 CLAR800, SN 71V0G6SX, WWN 5000cca09c00d57f: release_ownership: Success
12 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4SEDs cryptographic erasure
5.1.2 Check by drive
Alternatively, to check an individual drive for its current status, utilize the ‘isi_sed’ command.
Note: Practice extreme caution when utilizing the ‘isi_sed’ command. If it is used with the incorrect syntax, it
can destroy data and impact cluster operation. Do not use any of the command's other options without explicit
instructions from Dell EMC PowerScale Technical Support. Prior to executing any of the commands in this
section, double-check the command syntax for errors.
To query a SED for its status, perform the following:
8. View the device names of the drives in the cluster, by executing the following command:
isi_drivenum
Drive device names are displayed in the format /dev/da#, where # is a number. Make note of the
da# for the next step.
9. Using the from the previous step, query the state of a SED drive, by executing following
command:
# /usr/bin/isi_hwtools/isi_sed drive
Note: This command may take 30 seconds or longer to complete.
10. Check the Drive State and Drive Status columns:
a. If both columns display UNOWNED and if the line below the table states Fresh unowned drive,
this means the drive has been reset to factory-fresh state, and the AK is deleted from the IKM.
b. If both columns display a status of AUTH FAILED, the AK has been deleted for the IKM, but the
drive was not reset to a factory-fresh state. The data on the drive no longer accessible without the
AK, but to cryptographically erase the drive, proceed with Section 5.2, Cryptographic erasure
after the SmartFail ‘Erase’ state.
5.2 Cryptographic erasure after the SmartFail ‘Erase’ state
After attempting the SmartFail process, if a drive is in the ‘Erase’ state and cryptographic erasure is required,
the only remaining course of action is to manually revert the SED drive to the ‘Unowned’ state, which is a
factory fresh state. The SEDs Physical Security ID (PSID) is required for reverting a SED to the ‘Unowned’
state. For enhanced security, the PSID is only accessible by removing the drive and examining the drive
label.
The PSID is the Physical Security ID of the drive (Physical SID). It is a 32-character password assigned by
the drive manufacturer during production. The password cannot be changed by any host system. The PSID is
found on the drive label in a readable format and depending on the drive manufacturer may additionally be
available in a bar code format.
If the revert command is issued to a SED and its matching PSID is entered at the prompt, the SED will
prepare for reinitialization by deleting its DEK and the drive access password. As a result, the SED's
ownership state resets to ‘unowned’. Once complete, the drive is in a factory-fresh state, and any previous
data is permanently cryptographically erased.
13 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4SEDs cryptographic erasure
Note: The PSID can only be used for reverting the drive; it does not grant access to any encrypted data
present on the drive.
5.3 PowerScale cluster cryptographic erasure
If an entire PowerScale cluster requires cryptographic erasure, either reimage or reformat the cluster. Once
complete, all of the SEDs are cryptographically erased.
Note: The format process on SEDs requires significantly more time than on non-encrypted drives. The format
process takes longer, as encryption seed data is written to all sectors on the drive. If the format process is
interrupted, by losing power or drive removal, results in the node automatically destroying the AK.
5.4 PowerScale node cryptographic erasure
If an entire PowerScale node requires cryptographic erasure rather than individual SEDs, this is completed by
executing a SmartFail on the node. In this process, all of the drives are released from the node, ensuring they
are cryptographically erased.
14 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4Common SED concerns
6 Common SED concerns
This section covers common questions and concerns about SEDs.
6.1 Data recovery from a defective or inaccessible SED drive
If data from a SED cannot be read due to a malfunction, accidental release, or mishandling, the data on the
drive is permanently lost. The data on the drive remains encrypted, as the DEK is not accessible by any
means. Recovery techniques that work on traditional drives are useless on SEDs, due to the encryption.
6.2 SED performance
SEDs do not have a performance penalty when compared to a non-SEDs. The onboard hardware encryption
ensures the encryption does not impact performance.
6.3 SED formatting
SEDs take significantly more time to format when compared to a non-SED drive. The additional time required
to format a SED is because each drive is fully overwritten with random data as part of the encryption
initialization process.
To confirm if the format process is still running, depending on the OneFS version, the formatting process is
either displayed by dots or a percentage. OneFS displays a completed message once the format is complete.
Note: If a SED format process is interrupted for any reason, all the SEDs in a node are unusable. The only
recourse at this point is to manually revert each drive using the PSID, as explained in Section 5.2,
Cryptographic erasure after the SmartFail ‘Erase’ state.
15 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4FIPS 140-2 Certification
7 FIPS 140-2 Certification
The Federal Information Processing Standard (FIPS) Publication 140-2 is a National Institute of Standards
and Technology (NIST) and Canadian Communications Security Establishment (CSE) standard for approving
cryptographic modules. A FIPS 140-2 certification is granted after the model is tested and validated by the
United States and Canadian government agencies.
A FIPS certification is not only required by federal agencies and departments, but now has a global presence
as a best practice of security certification. For organizations that store sensitive data, a FIPS certification may
be required based on government regulations or industry standards. As companies opt for drives with a FIPS
certification, they are ensured the drives meet stringent regulatory requirements. A FIPS 140-2 certification is
provided through the Cryptographic Module Validation Program (CMVP). The CMVP ensures products
conform to the FIPS 140-2 security requirement.
For more information on FIPS, refer to the FIPS PUB 140-2 Security Requirements For Cryptographic
Modules. For more information on CMVP, refer to the NIST CMVP webpage.
7.1 PowerScale SED certificates
The SEDs in a PowerScale node are validated to ensure they have been tested by the CMVP and conform to
the FIPS 140-2 requirements. A FIPS 140-2 certificate for the SED specifies the drive name and type, as
displayed in Figure 9.
FIPS 140-2 certificate example
The FIPS certificate for each SED is available for download directly from the NIST CVMP website. For a link
to the appropriate NIST page based on a node’s specific SEDs, send an e-mail containing the node serial
numbers to powerscale.fips.confirmation@dell.com.
To access a PowerScale node’s serial numbers, from the OneFS CLI, use the isi_for_array -s
isi_hw_status -i command. The serial numbers are listed by each node in the “SerNo” field.
The e-mail response includes a link directly to the NIST CVMP certificate page of the SED module. Under the
“Related Files” section, click the “Consolidated Certificate” link to download the FIPS 140-2 certificate.
Note: An e-mail response may take up to 5 business days, depending on the current queue. If a FIPS
certificate is required by a specific date, submit the request e-mail as soon as possible.
16 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4Technical support and resources
A Technical support and resources
Dell.com/support is focused on meeting customer needs with proven services and support.
A.1 Related resources
Dell EMC PowerScale OneFS: A Technical Overview
FIPS PUB 140-2 Security Requirements For Cryptographic Modules
NIST CMVP webpage
PowerScale Software Release and Patching Strategy
Dell EMC PowerScale OneFS STIG Security Profile
OneFS 9.2.0.0 Documentation - PowerScale Info Hub
OneFS 9.2.0.0 Web Administration Guide
OneFS 9.2.0.0 CLI Administration Guide
OneFS 9.2.0.0 API Reference
OneFS 9.2.0.0 Security Configuration Guide
17 Dell EMC PowerScale OneFS Data-at-Rest Encryption | H17923.4You can also read
