Review StorageGRID encryption methods
StorageGRID provides a number of options for encrypting data. You should review the available methods to determine which methods meet your data-protection requirements.
The table provides a high-level summary of the encryption methods available in StorageGRID.
Encryption option | How it works | Applies to | ||
---|---|---|---|---|
Key management server (KMS) in Grid Manager |
You configure a key management server for the StorageGRID site (CONFIGURATION > Security > Key management server) and enable node encryption for the appliance. Then, an appliance node connects to the KMS to request a key encryption key (KEK). This key encrypts and decrypts the data encryption key (DEK) on each volume. |
Appliance nodes that have Node Encryption enabled during installation. All data on the appliance is protected against physical loss or removal from the data center.
|
||
Drive security in SANtricity System Manager |
If the Drive Security feature is enabled for a storage appliance, you can use SANtricity System Manager to create and manage the security key. The key is required to access the data on the secured drives. |
Storage appliances that have Full Disk Encryption (FDE) drives or Federal Information Processing Standard (FIPS) drives. All data on the secured drives is protected against physical loss or removal from the data center. Cannot be used with some storage appliances or with any service appliances. |
||
Stored Object Encryption grid option |
The Stored Object Encryption option can be enabled in the Grid Manager (CONFIGURATION > System > Grid options). When enabled, any new objects that are not encrypted at the bucket level or at the object level are encrypted during ingest. |
Newly ingested S3 and Swift object data. Existing stored objects are not encrypted. Object metadata and other sensitive data are not encrypted. |
||
S3 bucket encryption |
You issue a PUT Bucket encryption request to enable encryption for the bucket. Any new objects that are not encrypted at the object level are encrypted during ingest. |
Newly ingested S3 object data only. Encryption must be specified for the bucket. Existing bucket objects are not encrypted. Object metadata and other sensitive data are not encrypted. |
||
S3 object server-side encryption (SSE) |
You issue an S3 request to store an object and include the |
Newly ingested S3 object data only. Encryption must be specified for the object. Object metadata and other sensitive data are not encrypted. StorageGRID manages the keys. |
||
S3 object server-side encryption with customer-provided keys (SSE-C) |
You issue an S3 request to store an object and include three request headers.
|
Newly ingested S3 object data only. Encryption must be specified for the object. Object metadata and other sensitive data are not encrypted. Keys are managed outside of StorageGRID. |
||
External volume or datastore encryption |
You use an encryption method outside of StorageGRID to encrypt an entire volume or datastore, if your deployment platform supports it. |
All object data, metadata, and system configuration data, assuming every volume or datastore is encrypted. An external encryption method provides tighter control over encryption algorithms and keys. Can be combined with the other methods listed. |
||
Object encryption outside of StorageGRID |
You use an encryption method outside of StorageGRID to encrypt object data and metadata before they are ingested into StorageGRID. |
Object data and metadata only (system configuration data is not encrypted). An external encryption method provides tighter control over encryption algorithms and keys. Can be combined with the other methods listed. |
Use multiple encryption methods
Depending on your requirements, you can use more than one encryption method at a time. For example:
-
You can use a KMS to protect appliance nodes and also use the drive security feature in SANtricity System Manager to “double encrypt” data on the self-encrypting drives in the same appliances.
-
You can use a KMS to secure data on appliance nodes and also use the Stored Object Encryption grid option to encrypt all objects when they are ingested.
If only a small portion of your objects require encryption, consider controlling encryption at the bucket or individual object level instead. Enabling multiple levels of encryption has an additional performance cost.