How does Element drive encryption work?
Applies to
- NetApp Element Software
- All NetApp SolidFire Storage Nodes
- All NetApp SolidFire SSDs
Answer
How encryption keys are created
- Each drive has a single ‘bulk encryption key’ per drive and Drive Password protects (encrypts) the key. We don't actually set the keys themselves, but we manage the drive passwords
- We create a shamir share from the drive password and split it across the cluster. So it is a key per drive with a shared password that is split across the cluster
Process for changing keys
Passwords (usually referred to as keys but they are not encryption keys, they are passwords to unlock the drives). The password encrypts the “bulk key” which is then used to encrypt every byte on the drive. Because passwords only encrypt the ‘bulk keys’ they can be set and changed quickly. The password is stored safely by us across the cluster so they don't live with the drive nor on a single node and never traverse the wire intact. That password can be reset by disabling our encryption feature and then turning it back on and it takes minutes
- The above procedure will change the drive password on every drive across the cluster
- If a customer needs to reset the actual encryption keys on the drive the drives must be "secure erased,” which means throwing away the ‘bulk key’ and generating a new one. The process in our system to change the ‘bulk encryption key’ adds the steps of remove / add the drive so that we migrate and protect the data (otherwise it would be lost)
Process for storing archived keys
The drive’s password are not archived, but is stored across the cluster and at least 2+ nodes are needed in order to assemble the password and unlock the drives
Process for exchanging or transmitting keys
Currently, key management is handled locally and cannot be transmitted/exchanged externally
Process for revoking keys
The password for the bulk key can be reset by disabling our encryption feature and then turning it back on and it takes minutes. This will reset the bulk key password
For key rotation of an individual drive:
- "remove" the drive from the cluster via the UI/API so it is in the available state
- Use the secure erase API command on the drive
- This forces the drive to wipe the encrypted data throw away the old key and generate a new one
- Then add the drive back into the cluster
- This could be automated with a script
What encryption algorithms are used?
Currently the majority of SolidFire’s cryptography is implemented through OpenSSL. Skein and Shamir Share are utilized. Shamir Share is an algorithm in cryptography created by Adi Shamir. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret
What encryption strength is used?
AES-256 is the standardized encryption specification used by SolidFire
What bit length is used for Certificates (if applicable; should be 2048 bits or higher)
Currently, SolidFire does not utilize Certificates generated externally and imported to module with 2048 bit key or higher
Screen shot showing the current configuration of the encryption settings
SolidFire utilizes Self Encrypting Drives. Cluster wide data at rest encryption can be turned on/off without any performance impact to the cluster. See SolidFire Element Software Users and API guides
Cluster GUI > Settings > Encryption at Rest > Enable Encryption at Rest
Additional Information
additionalInformation_text