Skip to main content
A newer release of this product is available.

Review StorageGRID encryption methods

Contributors netapp-lhalbert netapp-pcarriga netapp-madkat netapp-perveilerk

StorageGRID provides several options for encrypting data. You should review the available methods to determine which methods meet your data-protection requirements.

The table provides a high-level summary of the encryption methods available in StorageGRID.

Encryption option How it works Applies to

Key management server (KMS) in Grid Manager

You configure a key management server for the StorageGRID site and enable node encryption for the appliance. Then, an appliance node connects to the KMS to request a key encryption key (KEK). This key encrypts and decrypts the data encryption key (DEK) on each volume.

Appliance nodes that have Node Encryption enabled during installation. All data on the appliance is protected against physical loss or removal from the data center.

Note: Managing encryption keys with a KMS is only supported for Storage Nodes and services appliances.

Drive Encryption page in StorageGRID Appliance Installer

If the appliance contains drives that support hardware encryption, you can set a drive passphrase during installation. When you set a drive passphrase, it's impossible for anyone to recover valid data from drives that have been removed from the system, unless they know the passphrase. Before starting installation, go to Configure Hardware > Drive Encryption to set a drive passphrase that applies to all StorageGRID-managed, self-encrypting drives in a node.

Appliances that contain self-encrypting drives. All data on the secured drives is protected against physical loss or removal from the data center.

Drive encryption doesn't apply to SANtricity-managed drives. If you have a storage appliance with self-encrypting drives and SANtricity controllers, you can enable drive security in SANtricity.

Drive security in SANtricity System Manager

If the Drive Security feature is enabled for an SG5700 or SG6000 storage appliance, you can use SANtricity System Manager to create and manage the security key. The key is required to access the data on the secured drives.

Storage appliances that have Full Disk Encryption (FDE) drives or self-encrypting drives. All data on the secured drives is protected against physical loss or removal from the data center. Can't be used with some storage appliances or with any services appliances.

Stored object encryption

You enable the Stored object encryption option in the Grid Manager. When enabled, any new objects that aren't encrypted at the bucket level or at the object level are encrypted during ingest.

Newly ingested S3 and Swift object data.

Existing stored objects aren't encrypted. Object metadata and other sensitive data aren't encrypted.

S3 bucket encryption

You issue a PutBucketEncryption request to enable encryption for the bucket. Any new objects that aren't encrypted at the object level are encrypted during ingest.

Newly ingested S3 object data only.

Encryption must be specified for the bucket. Existing bucket objects aren't encrypted. Object metadata and other sensitive data aren't encrypted.

S3 object server-side encryption (SSE)

You issue an S3 request to store an object and include the x-amz-server-side-encryption request header.

Newly ingested S3 object data only.

Encryption must be specified for the object. Object metadata and other sensitive data aren't encrypted.

StorageGRID manages the keys.

S3 object server-side encryption with customer-provided keys (SSE-C)

You issue an S3 request to store an object and include three request headers.

  • x-amz-server-side-encryption-customer-algorithm

  • x-amz-server-side-encryption-customer-key

  • x-amz-server-side-encryption-customer-key-MD5

Newly ingested S3 object data only.

Encryption must be specified for the object. Object metadata and other sensitive data aren't encrypted.

Keys are managed outside of StorageGRID.

External volume or datastore encryption

You use an encryption method outside of StorageGRID to encrypt an entire volume or datastore, if your deployment platform supports it.

All object data, metadata, and system configuration data, assuming every volume or datastore is encrypted.

An external encryption method provides tighter control over encryption algorithms and keys. Can be combined with the other methods listed.

Object encryption outside of StorageGRID

You use an encryption method outside of StorageGRID to encrypt object data and metadata before they are ingested into StorageGRID.

Object data and metadata only (system configuration data is not encrypted).

An external encryption method provides tighter control over encryption algorithms and keys. Can be combined with the other methods listed.

Use multiple encryption methods

Depending on your requirements, you can use more than one encryption method at a time. For example:

  • You can use a KMS to protect appliance nodes and also use the drive security feature in SANtricity System Manager to "double encrypt" data on the self-encrypting drives in the same appliances.

  • You can use a KMS to secure data on appliance nodes and also use the Stored object encryption option to encrypt all objects when they are ingested.

If only a small portion of your objects require encryption, consider controlling encryption at the bucket or individual object level instead. Enabling multiple levels of encryption has an additional performance cost.