Encrypting Storage Pools

Encryption of the Storage Pools can be performed using two methods, either the hardware-based or software-based.

Geli Encryption

A software-level disk encryption mechanism using the block device-layer disk encryption system GELI.

The following graphic illustrates the encryption architecture:

GELI encryption

  • This is a software encryption technique inherited from GELI
  • The encryption algorithm used is AES-XTS
  • This is a full disk encryption, which means the entire disk data is encrypted (metadata included)
  • The encryption key used is encrypted using the passphrase specified by the Administrator
  • Both the encryption key and passphrase are required to unlock the disks

Enabling Encryption on ElastiCenter

  1. In the Add Pool page, select Enable Encryption.
  2. Specify a Passphrase.
  3. Click Next.

enable_encryption

Hardware-based disk encryption/ Support for self-encrypting drives (SED)

A hardware-level disk encryption mechanism by supporting the self-encrypting drives.

  • This is a hardware-based data encryption technique
  • Encryption workload is moved to the drive instead of the processor. This improves system performance.
  • This is a full disk encryption, which means the entire disk data is encrypted (metadata included)
  • The data on the disk is encrypted at all times
  • The feature enables drive locking mechanism using the passphrase specified by the Administrator.
  • Restricts data access only to the authorized hosts with the specified passphrase.

Enabling Encryption

  • Hardware based encryption can be enabled only on SEDs.
  • SEDs can be used to create GELI (software) encrypted Pools as well.
  • You cannot create an encrypted Pool with a combination of SED and other data disks.
Using ElastiCenter
  1. In the Add Pool page, select Enable Encryption.
  2. Select Hardware as the Encryption type.
  3. Specify a Passphrase.
  4. Click Next.
    5. SED enabling

Changing the passphrase

You can change the passphrase used to encrypt Pool by doing the following:

  1. Go to the Encrypted Pool page.
  2. In the Actions pane, select Change passkey.
  3. In the Change Passkey dialog box, specify the new passkey and confirm.

Schedule passphrase change

  1. Go to the Encrypted Pool page.
  2. In the Actions pane, select Schedule change passkey.
  3. In the following dialog box, specify the scheduling interval.
  4. Click OK.

Note: CloudByte recommends you to perform a Refresh Hardware after deleting the encrypted Pool.