Home > Storage > ObjectScale and ECS > Product Documentation > Dell ECS: Data at Rest Encryption > Native key management
In Figure 1, native key management key hierarchy shows native encryption key management hierarchy. Within the hierarchy we have the following key types:
During VDC install a public-private key pair is generated which is then used to protect the natively generated master key and resource table (RT) data encryption key. The Master key and the RT Data Encryption Key are then used to derive the virtual master key. The virtual master key is then used to protect the Namespace and Rotation keys. The Namespace key is used to protect the Bucket keys. We derive the virtual bucket key from the Rotation Key and the Bucket Key. The virtual bucket key is then used to protect the object DEK. The Object DEK is randomly generated during object creation.
Note: Virtual keys are derived and never persisted to the disk.
Natively managed keys in ECS systems are persisted in the location as shown in Figure 2. VDC public-private key pair is persisted within vNest which is a local key-value store. The VDC public key is used to wrap the master and the RT Data Encryption Key which is then persisted in the resource table (RT). RT is another key-value store that spans across all the VDCs in the federation. We read the wrapped master or the RT Data Encryption Key and unwrap it using the VDC private key.
The virtual master key is used to wrap the Rotation Key and Namespace Key using AESKeyWrapRFC5649. The Bucket Key is wrapped by Namespace Key using AESKeyWrapRFC5649. These wrapped keys are also stored in the Resource table. A virtual bucket key is used to wrap the Object Data Encryption Key using AESKeyWrapRFC5649 which is persisted in the object table. Object table is another instance of a distributed key-value store that spans across all VDCs in the federation.
When keys are persisted or retrieved, only the encrypted data is transported across nodes of a VDC or across VDCs. Decryption of key happens locally at each service that needs a particular key.