If You Are Using SSDs, You Should Be Encrypting

Posted on by

I saw the following article come across Twitter today.

http://www.zdnet.com/blog/storage/ssd-security-the-worst-of-all-worlds/1326

In it, Robin Harris describes the issues around data recovery and secure erasure specific to SSD disks.  In layman’s terms, since SSDs do all sorts of fancy things with writes to increase longevity and performance, disk erasure is nearly impossible using normal methods, and forensic or malicious data recovery is quite easy.  So if you have sensitive data being stored on SSDs, that data is at risk of being read by someone, some day, in the future.  It seems that pretty much the only way to mitigate this risk is to use encryption at some level outside the SSD disk itself.

Did you know that EMC Symmetrix VMAX offers data-at-rest encryption that is completely transparent to hosts and applications, and has no performance impact?  With Symmetrix D@RE, each individual disk is encrypted with a unique key, managed by a built-in RSA key manager, so disks are unreadable if removed from the array.   Since the data is encrypted as the VMAX is writing to the physical disk, attempting to read data off an individual disk without the key is pointless, even for SSD disks.

The beauty of this feature is that it’s set-it-and-forget it.  No management needed, it’s enabled during installation and that’s it.  All disks are encrypted, all the time.

  • Ready to decomm an old array and return it, trade it, or sell it?  Destroy the keys and the data is gone.  No need for an expensive Data Erasure professional services engagement.
  • Failed disk replaced by your vendor?  No need for special arrangements with your vendor to keep those disks onsite, or certify erasure of a disk every time one is replaced.  The key stays with the array and the data on that disk is unreadable.

If you have to comply with PCI and/or other compliance rules that require secure erasure of disks, you should consider putting that data on a VMAX with data-at-rest encryption.

Now, What if you have an existing EMC storage system and the same need to encrypt data?  You can encrypt at the volume level with PowerPath Encryption.  PowerPath encrypts the data at the host with a unique key managed by an RSA Key Manager.  And it works with the non-EMC arrays that PowerPath supports as well.

Under normal circumstances, PowerPath Encryption does have some level of performance impact to the host however HBA vendors, such as Emulex, are now offering HBAs with encryption offload that works with PowerPath.  If you combine PowerPath Encryption with Emulex Encryption HBAs, you get in-flight AND at-rest encryption with near-zero performance impact.

  • Do you replicate your sensitive data to a 3rd party remote datacenter for business continuity?  PowerPath Encryption prevents unauthorized access to the data because no host can read it without the proper key.

14 comments on “If You Are Using SSDs, You Should Be Encrypting

  1. I recently read that Intel’s newer consumer grade SSDs actually encrypt all data on the disk. When you request a low level format, all it does it throw away the old encryption key and generate a new one. You just have to hope there is no way to recover the previous key. 🙂

    • That could be pretty good for desktops and laptops… But generally, storage systems don’t necessarily issue a low-level format. Especially since some of them (like EMC) use non-standard block sizes (like 520bytes). The built in mechanism is to write zeros across the drive, and for certified erasure, a separate appliance writes random data, etc over the disk multiple times.

      If storage arrays were updated to take advantage of the built-in encryption of a disk, however, then the array could just issue a SCSI command or something to the disk to wipe it, and that would be pretty slick.

  2. We’ve been asking for encryption at rest for Celerra (integrated) for ages, .. when is that coming ?

    • Actually, it’s recently become available. The solution encrypts data between the datamover and the backend storage processor so it’s encrypted on disk but there is nothing in the NAS client’s data path. I need to look at the doc again for more details.

    • Okay, the feature is called EMC Encryption for File Systems and is supported with Celerra Gateways (NS-G2, NS-G8, VG2, VG8). It looks like it became available in January. It can be ordered along side a new VG2 or VG8 or separately for existing gateways.

  3. Richard,

    can those Gateway models be connected to a VNX or VMAX only ?

    • The Gateway systems support Clariion, Celerra(w/Block), VNX, and Symmetrix DMX/VMAX. Any combination, up to 4 backend arrays per gateway.

  4. Correct if i am wrong but if i purchase a VNX right now, it comes with datamovers already ? So how do i purchase a VNX and say that i want encryption for my datamovers ?

    • You can purchase a VNX with or without NAS functionality built-in (if no NAS, then no datamovers are included). You would need to purchase the VG2 or VG8 gateway, attach it to the VNX via FC, and also order the Encryption option for the gateway. The integrated datamover’s wouldn’t be encrypted if they exist.

  5. Thanks Richard, here is one for ya. Let’s say i get a VNX with 2 datamovers for my “regular” class of storage. Then i buy 2 VG8 datamovers and connect them to VNX through the Brocade switch, as far as AVM i concerned ..it’s oblivious to the fact that there is encryption going on at block level ? Any implications to FAST-VP , do i need separate pool on VNX ?

    • Now we’re getting a little technical for a blog post.. AVM won’t notice the encryption, and neither will the VNX. I don’t think there would be any additional restrictions but we could check with support about it. You might need two FASTVP pools (one for the integrated movers and the other for the gateway) but I’d have to dig deeper on that. As an aside, the Encryption add-on includes Brocade switches, since they are actually doing the encryption. Feel free to email me if you like.

  6. emailed your @mac address.

  7. how will I know that D@RE is installed in my vmax?is there any command?

    • DARE must be ordered with the array initially and is enabled in the BIN file by EMC Customer Engineer that implements the array. I have not seen any symcli commands that can tell you one way or the other if DARE is enabled. It is done using an EMC internal tool called Symmwin.