HPE Storage Tech Insiders
cancel
Showing results for 
Search instead for 
Did you mean: 

Nimble OS 2.3 – Implementing SmartSecure Encryption at Rest

rfenton4

By Rich Fenton

Following Jeff Feierfell’s excellent blog of our SmartSecure Encryption of Data at Rest , I thought I would provide some ‘meat on the bone’ to what it actually looks like within the Nimble OS web GUI.


We should start by pointing out that SmartSecure requires no license key (Nimble has no licensed features) therefore once you upgrade to 2.3.x then your array (even older legacy Nimble platforms) will be able to enable the encryption feature.  In addition, SmartSecure requires no additional dedicated infrastructure!  Many storage vendors require a separate pool of storage (or even a dedicated array to turn on Encryption).   Within Nimble OS it’s a software feature that is applied on a per-volume basis (or if required the entire Nimble group can be encrypted).


In order to access SmartSecure encryption, you must firstly perform a non-disruptive upgrade to Nimble OS 2.3.x.  Once completed, you will see there is a new capability with the Administration > Security options to add Encryption.


Encryption1.jpg

Setting up SmartSecure Encryption on your Nimble Group

Configuring SmartSecure encryption is effortlessly simple, firstly you have to enable it by selecting the checkbox and by providing (and confirming) you Encryption Passphrase.  This is the key that is used to derive a unique encryption key for each volume.


Encryption2.jpg

Gotcha: It is essential that you keep this phrase safe as it will be potentially needed in the future, depending on how you configure encryption in some later steps.


Next, we have some additional configuration options on how we wish SmartSecure encryption to function within the Nimble Group:

System Startup Mode


This defines how the system behaves should it powered off and restarted for some reason. 

Available - the array operates as normal, in that on a system restart all volumes are accessible as they would be on normal array restart.

Secure - when the array powers on, any volume that is encrypted is not available until the passphrase is provided.   This is to ensure if the array is physically compromised (within the datacenter or whilst in transit) then protected data is protected to only a administrator who has the passphrase.    It is for this reason that having the passphrase is essential.


Encryption3.jpg

Default Setting - dictates whether SmartSecure encryption is enabled by default ever ytime on newly created volumes.

Scope - allows the user to choose to force that every volume in the array should be encrypted or allow it to be a selectable feature when volumes are created.

Encryption4.jpg

Gotcha: Existing volumes cannot be encrypted post-creation, to encrypt the data on an existing volume you will need to create a new encrypted volume and then migrate data to that volume.

Creating a Volume with SmartSecure Encryption

Creating a volume with encryption is effortless.  Simply create a volume as you would do with any new volume and you will now see an Enable Encryption checkbox, simply select it to encrypt the volume. 

Encryption5.jpg


Of course if you've been following the 2.3 blog series then you would be aware that the new vSphere Web Plugin supports encryption as well, that is also true for the thick client:

Encrypt-DS.jpgEncryptedDS1.jpg

Viewing a Volume that is encrypted


You will notice that from the volumes page there is not a way to view which volumes are encrypted and which ones are not (by using a different icon).   This was a design decision from our User Experience design team to not show which volumes are encrypted to avoid them from being a targeted volume. 

Encryption6.jpg

However, drilling down to the details of the volume show that the volume is indeed encrypted:

Encyption7.jpg

SmartReplicate and SmartSecure


Finally, if you're utilising SmartReplicate replication between two arrays, then clearly they both have to have SmartSecure encryption enabled in order for encrypted volumes to be replicated.  Of course blocks sent in flight will be encrypted securing the data and the transmission.

The following video walks you through a basic demonstration of setting SmartSecure Encryption on a Nimble group and enabling it on a newly created volume, (please note there is no sound on this video):

Video Link : 1191

Please feel free to ask any questions or make any comments below!

About the Author

rfenton4

Comments
cbrasga24

Genuine question, how does encrypting the volume but setting it to the Available startup mode secure the data?

jfeierfeil131

Since the essential purpose of encryption is to protect the data on disks that are stolen or RMA'ed, the data are still secure (encrypted) while even in Available Mode. Secure Mode offers the additional advantage (over and above other solutions) of protecting against the entire array being stolen by limiting access to volumes when the array power cycles or reboots.

There are two modes of operation:

  • Secure mode: Offers additional protection such that any power cycle or reboot of the entire array requires reentering the pass-phrase before it will come up and start serving data. This is useful for locking down the entire array for transit or if the entire array is stolen.

  • Available mode: Offers the same level of protection as a conventional disk encryption solution, but also allows a power cycle or reboot to preserve access to the volumes. This mode is useful for operation in a physically secure location, and to enable "lights out mode" operation. The one possible exposure in Available Mode is that if the entire array is stolen, then encrypted data "could" be accessible when the array comes back up; assuming the attacker has administrator access to the array and can connect hosts to the LUNs serving those volumes.
cbrasga24

Great, thanks for the additional information!

So basically:

Secure Mode = Secures Disks and Array

Available Mode = Secures Disks

I love how Nimble adds value to their technology products as time goes on, whereas most technology products lose value and fall behind.

jfeierfeil131

Sure thing.

The ideal solution would be one which provides Nimble array integration with 3rd party key managers (via KMIP interface) where the key is always stored somewhere else allowing protection of both array + disks and giving the convenience of not ever having to enter or remember a pass-phrase or key.  Curious to hear if there is interest in this and if so what key managers are people standardized mostly on these days (SafeNet, Vormetric, RSA, other?)

jda39

Can the startup mode be changed at any time (e.g. prior to a physical move) ? Or are we stuck with the setting we chose when first configured?

rfenton4

Hi Joel Adams

Yes, you can flip the arrays System Startup Configuration between Available and Secure mode at will (as long as your role as the correct privileges).

When you change the array from Secure to Available, the array will warn you that this is less secure (and you will be required to confirm):

Untitled.jpg

Cheers

Rich

pbitpro96

Is this only for new volumes? Can we encrypt existing volumes?

rfenton4
Hi Paul 


Correct encryption can be turned on at the time of provisioning.  So you need to create a newly encrypted volume and then migrate data to the volume.


Thanks

Rich


Events
Apr 24 - 25, 2018
Online
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
June 19 - 21
Las Vegas, NV
HPE Discover 2018 Las Vegas
Visit this forum and learn about all things Discover 2018 in Las Vegas, Nevada, June 19 - 21, 2018.
Read more
View all