Skip to main content

Reviewing StorageGRID encryption methods

Contributors netapp-lhalbert

StorageGRID provides a number of options for encrypting data. You should review the available methods to determine which methods meet your data-protection requirements.

The table provides a high-level summary of the encryption methods available in StorageGRID.

Encryption option How it works Applies to

Key management server (KMS) in Grid Manager

You configure a key management server for the StorageGRID site (Configuration > System Settings > Key Management Server) and enable node encryption for the appliance. Then, an appliance node connects to the KMS to request a key encryption key (KEK). This key encrypts and decrypts the data encryption key (DEK) on each volume.

Appliance nodes that have Node Encryption enabled during installation. All data on the appliance is protected against physical loss or removal from the data center. Can be used with some StorageGRID storage and services appliances.

Drive security in SANtricity System Manager

If the Drive Security feature is enabled for a storage appliance, you can use SANtricity System Manager to create and manage the security key. The key is required to access the data on the secured drives.

Storage appliances that have Full Disk Encryption (FDE) drives or Federal Information Processing Standard (FIPS) drives. All data on the secured drives is protected against physical loss or removal from the data center. Cannot be used with some storage appliances or with any service appliances.

Stored Object Encryption grid option

The Stored Object Encryption option can be enabled in the Grid Manager (Configuration > System Settings > Grid Options). When enabled, any new objects that are not encrypted at the bucket level or at the object level are encrypted during ingest.

Newly ingested S3 and Swift object data.Existing stored objects are not encrypted. Object metadata and other sensitive data are not encrypted.

S3 bucket encryption

You issue a PUT Bucket encryption request to enable encryption for the bucket. Any new objects that are not encrypted at the object level are encrypted during ingest.

Newly ingested S3 object data only.Encryption must be specified for the bucket. Existing bucket objects are not encrypted. Object metadata and other sensitive data are not encrypted.

S3 object server-side encryption (SSE)

You issue an S3 request to store an object and include the x-amz-server-side-encryption request header.

Newly ingested S3 object data only.Encryption must be specified for the object. Object metadata and other sensitive data are not encrypted.

StorageGRID manages the keys.

S3 object server-side encryption with customer-provided keys (SSE-C)

You issue an S3 request to store an object and include three request headers.

  • x-amz-server-side-encryption-customer-algorithm

  • x-amz-server-side-encryption-customer-key

  • x-amz-server-side-encryption-customer-key-MD5

Newly ingested S3 object data only.Encryption must be specified for the object. Object metadata and other sensitive data are not encrypted.

Keys are managed outside of StorageGRID.

External volume or datastore encryption

You use an encryption method outside of StorageGRID to encrypt an entire volume or datastore, if your deployment platform supports it.

All object data, metadata, and system configuration data, assuming every volume or datastore is encrypted.

An external encryption method provides tighter control over encryption algorithms and keys. Can be combined with the other methods listed.

Object encryption outside of StorageGRID

You use an encryption method outside of StorageGRID to encrypt object data and metadata before they are ingested into StorageGRID.

Object data and metadata only (system configuration data is not encrypted).

An external encryption method provides tighter control over encryption algorithms and keys. Can be combined with the other methods listed.

Using multiple encryption methods

Depending on your requirements, you can use more than one encryption method at a time. For example:

  • You can use a KMS to protect appliance nodes and also use the drive security feature in SANtricity System Manager to “double encrypt” data on the self-encrypting drives in the same appliances.

  • You can use a KMS to secure data on appliance nodes and also use the Stored Object Encryption grid option to encrypt all objects when they are ingested.

If only a small portion of your objects require encryption, consider controlling encryption at the bucket or individual object level instead. Enabling multiple levels of encryption has an additional performance cost.