In part 1 of the Datrium Architecture series I discussed how a split architecture opens up a huge amount of flexibility into modern datacenter designs. In part 2 of this blog series, I will be talking about an industry first feature that everyone concerned with security in their datacenter will want to take notice.
Datrium Blanket Encryption
Sure, there are products in the market that provide encryption for data at rest in a storage platform, but there are no converged products as of today that provide government grade (FIPS 140-2) data encryption end-to-end. Organizations must look for a solution that is FIPS 140-2 validated, not FIPS 140-2 certified. Validation is when NIST evaluated the encryption scheme. However, certified is technically meaningless and is mostly marketing, it may be done in the spirit of NIST's requirements, but it hasn't been validated.
It's only with the Datrium DVX software platform, that all I/O from an application/workload perspective is encrypted upon creation using AES-XTS-256 crypto algorithm and is a validated solution for FIPS 140-2 compliance. Using the underutilized AES-NI chipset built into modern day microprocessors, Datrium will encrypt data in-use and on access in RAM & Flash and in-flight when the second "write" is synchronously sent to the data node for block durability. This means you will have your data encrypted while in-use, in-flight and at rest, so that there is no risk for compromise at any level in the I/O stack.
There is also no need to have SED's (Self-Encrypting Drives), this implementation is software based and is included at no added cost to the customer. The amount of savings this brings to customers is huge, since SED's are exorbitant upon procurement and on top of that you can't mix differing disk types in most systems today. It then becomes an all or nothing implementation when only using a data-at-rest encryption method based only on the drives.
Blanket Encryption Use Cases:
There are many use cases for Datrium's blanket encryption. The obvious ones are….
1) Drive or part replacement.
2) Prevent network sniffing of I/O traffic.
3) Rogue processes that tap into host memory.
4) System theft.
5) HIPPA & SLA compliance.
Today, Datrium uses an internal key management system for easy setup and management. With this, we support password rotation, startup locked and unlocked modes and in full disclosure, you can also be assured that encryption keys are not stored in swap or in the core dump of the Datrium system.
Another cool feature is the shipping mode option, where the key is not stored persistently anywhere in the platform. So, during transport of the DVX platform there is no risk of a data breach during transit. When the system is powered up in this locked mode, the administrator must provide the encryption password before the system will serve any data again.
Enabling encryption is extremely easy to do on any Datrium DVX system. Just issue the command: "datastore encryption set --fips-mode validated" this will enable the FIPS 140-2 validated mode for your data. In order to verify just issue the show command: "Datastore encryption show"
You can also verify in the DVX dashboard under durable capacity, where the green shield is. This will show that encryption is enabled with FIPS 140-2 compliance.
Now some may ask but wait doesn't this mean if I enable encryption on Datrium that data reduction like dedupe and compression go away. Remember Datrium implemented an always-on system when it comes to data reduction. In so doing, Datrium became the first in a converged platform offering FIPS 140-2 validation without sacrificing data reduction using compression, dedupe or erasure coding.
I'm blown away that Datrium has not only done the right thing when it comes to offering FIPS 14-2 validation out of the gate but also without a sacrificing performance nor any data reduction technology that customers love us for.
Additional reading: Datrium Blanket Encryption Whitepaper
My next post in this series will about Datrium's Global Data efficiency.