Encryption

The Lenovo Storage^® V7000 Gen2 system supports optional encryption of data at rest. This support protects against the potential exposure of sensitive user data and user metadata that is stored on discarded, lost, or stolen storage devices. To use encryption on the system, an encryption license is required for each enclosure that supports encryption.

General encryption concepts and terms

Encryption-capable refers to the ability of the system to optionally encrypt user data and metadata by using a secret key.

Encryption-disabled describes a system where no secret key is configured.

Encryption-enableddescribes a system where a secret key is configured and used. The key must be used to unlock the encrypted data enabling access control.

Access-control-enabled describes an encryption-enabled system that is configured so that an access key must be provided to authenticate with an encrypted entity, such as a secret key or flash module, to unlock and operate that entity. The system permits access control enablement only when it is encryption-enabled. A system that is encryption-enabled can optionally also be access-control-enabled to provide functional security.

Protection-enabled describes a system that is both encryption-enabled and access-control-enabled. An access key must be provided to unlock the system so that it can transparently perform all required encryption-related functionality, such as encrypt on write and decrypt on read.

The Protection Enablement Process (PEP) transitions the system from a state that is not protection-enabled to a state that is protection-enabled. The PEP requires that the customer provide a secret key to access the system. This secret key must be resiliently stored and backed up externally to the system; for example, on USB flash drives. PEP is not merely activating a feature using the management GUI or CLI. To avoid loss of data that was written to the system before the PEP occurs, the customer must move all of the data to be retained off the system before the PEP is initiated. After PEP has completed, the customer must move the data back onto the system. The PEP is performed during the system initialization process, if encryption is activated. The system does not support AME.

Application-transparent encryptionis an attribute of the encryption architecture, referring to the fact that applications are not aware that encryption and protection is occurring.This is in contrast to Application Managed Encryption (AME), which is not transparent to applications, and where an application must serve keys to a storage device.

Accessing an encrypted system

Planning for encryption involves purchasing a licensed function and then activating and enabling the function on the system.

To encrypt data that is stored on drives, the control enclosure on which they are connected must contain an active license and be configured to use encryption. When encryption is activated and enabled on the system, valid encryption keys must be present on the system when the system unlocks the drives or the user generates a new key. The encryption key must be stored on USB flash drives that contain a copy of the key that was generated when encryption was enabled. Without these keys, user data on the drives cannot be accessed.

Before you activate and enable encryption, you must determine the method of accessing key information during times when the system requires an encryption key to be present. The system requires an encryption key to be present during the following operations:

System power-on
System restart
User initiated rekey operations

Several factors must be considered when you plan for encryption.

Physical security of the system
Need and benefit of manually accessing encryption keys when the system requires
Availability of key data
Encryption license is purchased, activated, and enabled on the system

Two options are available for accessing key information on USB flash drives:

USB flash drives are inserted in the system at all times: If you want the system to restart automatically, a USB flash drive must be left inserted in all the canisters on the system. This way all canisters have access to the encryption key when they power on. This method requires that the physical environment where the system is located is secure. If the location is secure, it prevents an unauthorized person from making copies of the encryption keys, stealing the system, or accessing data that is stored on the system.
USB flash drives are never inserted into the system except as required: For the most secure operation, do not keep the USB flash drives inserted into the canisters on the system. However, this method requires that you manually insert the USB flash drives that contain copies of the encryption key in the canisters during operations that the system requires an encryption key to be present. USB flash drives that contain the keys must be stored securely to prevent theft or loss. During operations that the system requires an encryption key to be present, the USB flash drives must be inserted manually into each canister so data can be accessed. After the system completed unlocking the drives, the USB flash drives must be removed and stored securely to prevent theft or loss.

Encryption technology

Data encryption is protected by the Advanced Encryption Standard (AES) algorithm that uses a 256-bit symmetric encryption key in XTS mode, as defined in the IEEE 1619-2007 standard as XTS-AES-256. That data encryption key is itself protected by a 256-bit AES key wrap when stored in non-volatile form.