OneFS also provides a solution for the security of data at rest. This involves dedicated storage nodes containing self-encrypting drives (SEDs), with an encryption key management system embedded within OneFS. Data is encrypted on disk using the AES-256 cipher, and each SED has a unique data encryption key (DEK) which is used to encrypt and decrypt data as it is read from and written to disk. OneFS automatically generates an authentication key (AK) that wraps and secures the DEK. This means that the data on any SED which is removed from its source node cannot be unlocked and read, thereby guarding against the data security risks of hard drive theft.
The Data Encryption at Rest solution also allows SED drives to be securely wiped before being repurposed or retired, using cryptographic erasure. Cryptographic erasure involves “shredding” the encryption keys to wipe data and can be done in a matter of seconds. To achieve this, OneFS irreversibly overwrites the vendor-provided password, or MSID, on each drive, resulting in all the on-disk data being scrambled.
OneFS encryption of data at rest satisfies several industries’ regulatory compliance requirements, including U.S. Federal FIPS 140-2 Level 2 and PCI-DSS v2.0 section 3.4.