Encryption of Data at Rest

You can enable encryption at the group level or at the volume level as required for each group of arrays in your environment. Before you can create encrypted volumes, you must perform an initialization step that creates the master key. The master key protects the keys that are used to encrypt volume data. The master key is protected by a passphrase that is specified when creating the master key. At times, it will be necessary to enter the passphrase to enable access to encrypted volumes.

The encryption state of a volume is established when the volume is created, and cannot be changed afterward. Cloned volumes inherit the encryption state of their parent. The group configuration contains a default encryption default setting, where you can either enable or disable AES-256-XTS encryption. (The AES-256-XTS encryption algorithm is specifically designed for use in encrypting block storage.) The group configuration also contains an encryption scope setting, which specifies where and how to apply the encryption default setting. You can force the encryption default setting to be applied to all new volumes in the group, or allow overriding the encryption default setting on a per-volume basis.

The group configuration contains an encryption mode setting that defines behavior on system restarts. The value can be set to "secure" or "available." In secure mode, the encryption passphrase must be entered every time the group leader array is restarted to unlock the master key. In most cases, available mode stores enough information in non-volatile memory to recover the master key without entering the passphrase. The information is not stored on disk. Available mode is provided for convenience in situations where the physical security of the array is unlikely to be compromised.

IMPORTANT: Even though available mode significantly reduces the number of times you must enter a passphrase when a group leader array restarts, it does not guarantee that you will never have to enter a passphrase after a restart. There are certain scenarios where you would still have to specify a passphrase while in available mode to access encrypted data, including:
  • Controller upgrade: If array controllers are being upgraded to a newer model, you must enter a passphrase. While data is recovered from the non-volatile memory, access to encrypted volumes is not.
  • NVRAM loss: In the rare case where non-volatile memory (NVRAM) is lost, you must enter a passphrase to access encrypted volumes. Older arrays (CS2xx and CS4xx series) that remain powered off for a long time could lose NVRAM as a result of battery discharge.
  • If you lose the passphrase for the master key or access to the external key manager, data in encrypted volumes cannot be retrieved. Store the passphrase in a secure, accessible place.
  • If your encryption requirement changes after creating a volume, you cannot change its encryption status. You can create a new volume with the encryption status that you need, and migrate the data to the new volume.
  • Performance might be slow when accessing encrypted volumes from the CS210 or CS215; however the performance impact due to encryption will be less severe on the CS235 arrays.