VSM 6.1 and higher supports a feature for encrypting data at rest on the disk shelf disk drives. Solaris 11.1 ZFS performs the actual encryption when the feature is enabled. Solaris ZFS is FIPS 140-2 certified.
The service person enables the encryption feature by running a utility from a command shell on node 1 of the VSM 6 system. The feature utility can only be run while the VSM 6 application is shut down.
For a new installation with no customer data, it only takes a few minutes to enable or disable encryption.
For an existing VSM 6 that already has customer data present, the encryption feature can be enabled only if the current utilization of the disk shelf arrays is less than 90 per cent of total physical capacity.
Conversion of existing data (either from un-encrypted to encrypted or from encrypted to un-encrypted) takes approximately 105 minutes per TB of physical data.
Once VTV data encryption at rest has been enabled, the fact that data is encrypted before being written to disk and decrypted as it is read is largely transparent to the rest of the system. Throughput performance is reduced by less than five per cent.
When the encryption feature is enabled, the encryption authorization key is stored at a fixed location in the mirrored server's rpool disk drives, and a backup copy is created on a USB storage device. The USB storage device is required to be available when this feature is being enabled.
Only one USB storage device must be plugged into a VSM 6 node 1 USB port when the encryption authorization key is created. If multiple USB storage devices are discovered, the key creation will fail.
If the encryption authorization key is lost from the mirrored server's rpool disks, a script is provided to restore the key from the USB storage device used to back up the key when it was created or changed.
The VSM6 application will fail to start if the customer data file systems cannot be mounted due to the encryption authorization key not being present.
The ZFS-supported encryption algorithm used is AES-256-CCM. The authorization key is a 256-bit file, generated by the pktool(1) utility program, invoked by the encryption feature utility.
Capacity upgrades to an encryption-enabled VSM 6 will simply increase the storage size of the disk shelves arrays storage, maintaining the encryption setting that exists at upgrade time.
Software upgrades to the VSM 6 will preserve the encryption authorization key(s) stored on the mirrored server's rpool disk drives.
The VSM 6 CLI and Service GUI will indicate if the encryption feature is enabled.
The Service GUI allows the service person to change the encryption authorization key. Changing the key does not invalidate access to any VTV data stored before the change. Changing the key simply obsoletes the prior encryption authorization key and generates a new key that is required to validate access to the encrypted VTV file systems. Changing the key, like at creation time, requires a single USB storage device to be discovered, as the backup location for a key stored in the mirrored servers rpool disk drives.
The encryption authorization key is stored on the mirrored rpool disk drives on both servers. The key will be located in the /lib/svc/method/application/vsm/.vsm_keystore directory. The file name format of the key will be _yyymmddhhmmssnnn.key. Prior generations of keys will be maintained in the same directory. Whenever a key is created, or changed, all generations of the keys in this directory are backed up to the USB storage device.