About Data At Rest Encryption (Physical Deployments Only); Encryption Status - EMC Unity Family Security Configuration Manual

Data Security Settings

About Data at Rest Encryption (physical deployments only)

Encryption status

EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide
52
Data at Rest Encryption (D@RE) is provided through controller-based encryption
(CBE) at a physical drive level. A unique data encryption key (DEK) is generated for
each drive and is used to encrypt data as it is sent to the drive. The goal of this feature
is to ensure that all customer data and identifying information will be encrypted with
strong encryption, primarily to ensure security in the event of loss of a drive.
Separate from CBE, system space on the Storage Processors (SPs) is encrypted
using an encryption capability (dm_crypt) that is native to the Linux distribution.
Specific partitions on the system drive are encrypted by default unless encryption is
not activated on the system at manufacture time. For those system partitions that are
not encrypted, some unencrypted data, such as diagnostic dumps, could be present. In
addition, there is potential for small amounts of unencrypted user data as a result of
writing diagnostic materials to the system partition. All the data written to the array by
using regular I/O protocols (iSCSI, FC) are encrypted. Anything that comes into the
array by using the control path will not be encrypted by this solution; however,
information that is sensitive (for example, passwords) are encrypted by a different
mechanism (as they are on non-encrypting arrays).
A component, referred to as the Key Manager, is responsible for generating, storing
and otherwise managing the encryption keys for the system. The keystore that is
generated to store the encryption keys resides on a managed LUN in private space on
the system. Keys are generated or deleted in response to notifications that a storage
pool has been added or removed. Key backups are performed automatically by the
system. In addition, changes to the configuration of the system that result in changes
to the keystore will generate information alerts that recommend key backups be
created. When an operation that results in a change to the keystore occurs, an alert
will appear and persist.
A separate auditing function is provided for general key operations that track all key
establishment, deletion, backup, and restore changes as well as SLIC addition.
For additional information about the Data at Rest Encryption feature, refer to the EMC
Unity: Data at Rest Encryption white paper.
Feature activation
D@RE is a licensed feature. The license must be installed during the initial
configuration of your system. Once activated, the encryption operation cannot be
reverted.
The encryption operation will cause data encryption keys to be created and all user
data will begin to be encrypted. The encryption keys are stored in a keystore file. The
keystore file that is generated resides on a managed LUN in private space on the
system.
It is strongly recommended that you backup the generated keystore file to another
location which is external to the system where the keystore can be kept safe and
secret. In the event that the keystore on the system becomes corrupted, the system
will be nonfunctional. The system will enter service mode; only the operating system
boots. In this state, attempts to access the system through Unisphere will return an
error indicating that the keystore is in an inaccessible state. In this case, the backup
keystore file and a service engagement are required for resolution.
The following D@RE feature status can be viewed either through Unisphere or a CLI
command: