Extended Storage (ExS) Encryption Feature
VSM Extended Storage (ExS) Encryption is an enhancement to VSM Extended Storage that allows the VTSS to encrypt the data before sending the data out to the extended storage. This allows the customer to manage their own keys using Oracle Key Manager (OKM) or EXS VSM Key Manager (VSM Key Store).
ExS Encryption is included in the base VSM6 or VSM7 code and is configured by Oracle Services personnel as part of the VSM configuration. ExS encryption is a separate feature from VTSS encryption, which encrypts data residing in the VTSS disk buffer.
Figure 2-1 VSM ExS Configuration with Encryption
As shown in the figure above, ExS Encryption occurs between the Nearlink and the Extended Storage (ExS) nodes, before the ExS nodes send data to physical and cloud storage targets across the IP network.
- When using VSM Key Store, encryption keys are created and stored on each VTSS in the EXS complex. Multiple VMVCs will share the same encryption key. The encryption key used to migrate new data to a VMVC can be changed over time by creating a new key. Deletion of a VSM key is not supported.
- When using OKM, keys are automatically generated, stored and managed external to the VTSS and the EXS storage. Each VMVC will have its own encryption key.
The VSM ExS Encryption feature introduces two new constructs, keystore and key.
- The keystore identifies the Key manager type (OKM or VSM) to use for encryption. Specifies a name for the Key Store that is shared on all systems in the EXS complex. For keystores of type VSM, the keystore construct also specifies the label name of the key to use for subsequent migrations (the current key).
- The key construct is only applicable to a VSM keystore. It associates an encryption key with a named VSM keystore, specifies a label name associated with the encryption key, and specifies the encryption key value.
If you wish to utilize the VSM Extended Storage (ExS) Encryption feature in your VSM configuration, contact Oracle Services.