Veritas Access provides advanced security for data at rest by the encryption of data volumes. Encryption is a technology that converts data or information into code that can be decrypted only by authorized users.
You can encrypt Veritas Access data volumes to:
Protect sensitive data from unauthorized access.
Retire disks from use or ship them for replacement without the overhead of secure wiping of content.
Encryption is implemented using the Advanced Encryption Standard (AES) cryptographic algorithm with 256-bit key size validated by the Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) security standard.
When you create file systems in Veritas Access on encrypt volumes using this feature, Veritas Access generates a volume encryption key at the time of file system creation. This encryption key is encrypted (wrapped) using a different key that is retrieved from a Key Management Server (KMS). The wrapped key is stored with the volume record. The volume encryption key is not stored on disk.
Veritas Access supports the use of a KMS that conforms to the OASIS Key Management Interoperability Protocol (KMIP) version 1.1 specification.
During creation of encrypted volumes:
Veritas Access sends a key generation request to the configured KMS using the KMIP protocol.
KMS responds with a unique identifier. Veritas Access sends the identifier to KMS to obtain the key that is generated by KMS.
KMS responds with the key. Veritas Access generates the random volume encryption key, and encrypts it using the key that is provided by KMS.
Veritas Access stores the encrypted key and the KMS identifier in the volume record.
During startup of encrypted volumes:
Veritas Access retrieves the encrypted key and the KMS identifier from the volume record.
Veritas Access sends the identifier to KMS to obtain the key.
KMS responds with the key. Veritas Access decrypts the encrypted key (stored in the volume record) with the key provided by KMS.
Veritas recommends that you use CPUs designed to support Advanced Encryption Standard Instruction Set (or the Intel Advanced Encryption Standard New Instructions (AES-NI) to improve performance.
Veritas recommends that you use IBM Secure Key Lifecycle Manager (SKLM), which supports KMIP protocol version 1.1, as a KMS server for this feature.
To register a Veritas Access cluster with the IBM SKLM KMS server.
Install the IBM SKLM server on any system in your environment. You can visit the URL to find the supported IBM SKLM servers with Veritas Access. Obtain KMS server's public certificate in base64 format using its admin GUI console or the CLI.
In the Veritas Access GUI management console, go to Settings> Services Management to register the Veritas Access cluster with the KMS server.
Ensure that the time of the Veritas Access server and IBM SKLM server are in sync.
Select Provide Key & Certificates to generate self-sign certificates for the Veritas Access cluster. Provide the KMS server's public SSL certificate in the same window.
Configure KMS Server gets activated now. Select this tab to enter the KMS server-related details.
Use the IBM SKLM server's GUI-based management to accept the client request from the Veritas Access cluster and to accept its SSL keys.
You can use the Storage> fs create command to create the file system with encrypt=on option.
You can use the storage encryption feature in the GUI by activating the secure data storage policy. You can add new NFS and CIFS shares using the activated policy.
encrypt=on option can be used for all the file system layouts except largefs.
Searching...
