Around the Storage Block
Nick_Dyer

Level up Nimble Storage enterprise security with KMIP-integrated SmartSecure Encryption at Rest

Screenshot 2020-10-22 at 11.14.01.jpg

 

Data security and protection is a hot topic. It feels like not a day goes by in which a new report of an organisation being compromised by data hacking, ransomware or man-in-the-middle attacks. And as IT operations move towards a truly intelligent data management consumption model across private and public clouds, looking after and protecting the data and it’s integrity through it’s lifecycle is critical.

HPE Nimble Storage has always been at the forefront of innovation for our customers. In 2015 it introduced it’s ‘SmartSecure’ Encryption at Rest technology as part of NimbleOS 2.3 for all customers under active support entitlement. SmartSecure allows customers to deploy FIPS-cerified encryption at rest for array datasets within the NimbleOS filesystem, without any requirement for expensive Self Encrypting Drives (SEDs) and without any associated performance overheads to the platform for residing volumes.

As Nimble encrypts your data on the fly during write ingestion (rather than post process after landing on the drives), it means that it’s friendly to our advanced data reduction techniques, but also means that any volumes that are replicated using Nimble’s periodic replication (aka SmartReplicate) persist with encryption across the wire for all data sent, should they be enabled.

Nimble's encryption implementation is extremely flexible, and allows users to build their own policies of how data should be protected:

  • Selectively designate encryption on/off on a per volume basis
  • Force apply encryptionto everything within the array
  • AND should anything physically happen to the array, the passphrases are required before volume access can be achieved from hosts.
  • Can be controlled and automated through APIs or even plugins such as our market leading VMware vVol implementation.

Screenshot 2020-10-20 at 15.16.11.jpg

 
Nimble achieved FIPS-140-2 certification shortly after SmartSecure was launched in 2015, and to date SmartSecure has been a widely adopted feature with over 50% of customers implementing encryption today for mission critical production workloads on their systems.

The next enterprise step – External Key Management functionality

NimbleOS 5.3.x is now available for customers under active support entitlement, and within that release Nimble now introduces deeper encryption functionality to integrate into your enterprise Key Management Server for enhanced protection, security and mutual trust.

Screenshot 2020-10-20 at 12.53.45.jpg

Users are now able to provide full lifecycle management of data encryption keys under an interoperable, unified security solution which standardises on the open KMIP (Key Management Interoperability Protocol) standard, and with that Nimble can integrate into pretty much any enterprise key management server that complies to the OASIS KMIP standards; for example the market leaders such as Vormetric, Thales, Micro Focus, RSA, Safenet and many others. Cloud-based key management platforms such as AWS KMS or Azure Key Vault are targeted to be supported in a future release.

As always, Nimble features are complimentary to customers that are under an active support entitlement, and is applicable to every Nimble array model and generation that supports encryption - this goes all the way back to our trusty generation 2 CS300/500/700 systems released back in 2013!

Let’s take a quick look as to how to set this up, which will require a couple of simple steps:

  1. Create mutual trust & authentication between Nimble array & Key Management Server using certificates
  2. Register external key management server to control Nimble’s encryption keys

Step 1: Creating mutual trust

The Nimble array needs to be mutually trusted with certificate authentication with the key management server. You can do this workflow within the Nimble GUI or CLI – as NimbleOS 5.2 now introduces the ability to integrate and authenticate SSL certificates really easily via both methods (take a look at my blog here which walks through how to do this with Windows Active Directory).

In the Nimble GUI, we’ll jump into the Administration->Security->SSL Certificates section, and generate a new custom certificate. For security purposes I’m going to blur out the specific names and IP addresses.

Screenshot 2020-10-20 at 11.35.03.jpg

This takes a second to complete, and once finished we can dive into the details of the custom certificate and grab the PEM text (make sure you grab the ---BEGIN---- and ---END---, INCLUDING the carriage return at the bottom!

Screenshot 2020-10-20 at 11.43.18.jpg

You can also do this work on the array CLI, by using the new “cert” selection:

Cert --list <- returns the certificates on the array

Cert --gen <- generates the new custom certificate as we did in the GUI

Cert --info custom <- shows the details of the custom certificate

That’s the first part of the work done on the array. Now head to your Enterprise Key Manager of choice – I’m using Utimaco in this example – and create a new user for the certificate authentication, using the PEM text for the certificate.

Screenshot 2020-10-20 at 11.49.33.jpg

Once complete we’ll see the acknowledgement of a new user/device registered for trust purporses:

Screenshot 2020-10-20 at 12.06.49.jpg

The final part in this process is to head back into the array GUI or CLI, and trust the cert by importing a trusted certificate from the KMS server. The port typically that it should listen on is 5696.

Screenshot 2020-10-20 at 12.08.11.jpg

And we can now complete this work by viewing the SSL certificates – notice we now have TRUSTED = YES for our Key Management Server:

To do this same step in the CLI, it’s very simple:

Cert --import <your name you wish to call it> --trusted --from_host <KMS IP address>

 

Step 2: Registering the External Key Management Service

Now that our Nimble array group & our key management server are mutually trusted, we can add our key management server as an external controller to Nimble’s encryption key management.

Heading over to the Encryption section, you’ll spot a new selection to allow for an external key manager. We’re going to go ahead and do that:

Screenshot 2020-10-20 at 12.19.30.jpg

And we’re going to insert the details of our Utimaco key management server, including the username and password that we set up on the KMS for this Nimble array group.

Note: Nimble supports KMIP 1.0, 1.1, 1.2 and 1.3 in this release.

Screenshot 2020-10-20 at 12.22.23.jpg

keymanager --add <name> --hostname <KMS IP address> --port 5696 --protocol KMIP1_1 --username <user you created> --password <password>

Once completed, we can see the external key manager is now CONNECTED + ACTIVE.

Screenshot 2020-10-20 at 12.34.38.jpg

And verifying this in our Key Management Server, we can now see the array group listed for KMIP objects:

Screenshot 2020-10-20 at 12.39.41.jpgNote: it’s possible to have multiple external key managers registered within the Nimble array group, but only one will be active at any one time. However if you do have more than one KMS registered and trusted, we’re able to migrate KMIP from one to another – which is useful if you’re moving from one KMS to another as a corporate standard.

This can be done by using the CLI:

Keymanager –-migrate <new-kms-name>

And we're done! So how does this work?

Once your new external key management server is showing as active, the KMS will control the master encryption key for the Nimble array group. Every time you now create a volume, the Nimble array communicate with your external KMS in order to access the master key in order to provision the volumes with the per-volume encryption key that we create & preserve.

Screenshot 2020-10-20 at 12.50.34.jpg

This functionality also works perfectly with SmartReplicate periodic replication.  As your data is encrypted at write ingestion within NimbleOS and data is then written & preserved encrypted within the system, any data snapshotted or replicated is then preserved in encrypted form across the wire without having to decrypt/re-encrypt on either side. This also means that data reduction such as compression is maintained across the wire.

That said, it’s entirely possible for you to replicate datasets across disparate Nimble groups trusted with both internal key management and external key management – building ultimate flexibility for your encrypted data across sites.

Screenshot 2020-10-21 at 12.44.25.jpg

Conclusion:

With NimbleOS 5.3 enterprises can now easily & securely extend their encryption capabilities into their enterprise key managers – with the added freedom to choose between a wide collection of FIPS compliant key management servers in order to meet security and compliance standards and regulations such as PCI-DSS or GDPR. 

I hope you found this blog useful, and are ready to level up your enterprise security using HPE Nimble SmartSecure technology. As always, I'd love to hear your thoughts, so please drop your questions or comments below for us to answer!

Nick Dyer
twitter: @nick_dyer_
About the Author

Nick_Dyer

Nick is a Storage Field CTO & Technologist - focusing on helping customers deliver business value with innovative technologies such as Nimble Storage & dHCI, HPE Cloud Volumes & much more.