Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > OneFS encryption
PowerScale OneFS provides DARE using SEDs, ensuring that data is encrypted during writes and decrypted during reads. Data stored on the SEDs are encrypted and decrypted with a 256-bit data AES encryption key, referred to as the data encryption key (DEK). OneFS takes the standard SED encryption further by wrapping the DEK for each SED in an authentication key (AK). Further preventing unauthorized access, the AKs for each drive are placed in a key manager (KM) that is stored securely in an encrypted database, the key manager database (KMDB). The KMDB is encrypted with a 256-bit universal key (UK), as shown in the following figure.
PowerScale OneFS 9.2.0.0 and later releases support an external key manager by using a key management interoperability protocol (KMIP)-compliant key manager server. The UK is stored in a KMIP-compliant server. PowerScale OneFS releases before OneFS 9.2 retain the UK internally on the node.
Further protecting the KMDB, OneFS 9.5.0.0 provides a feature to rekey the UK. The UK may be rekeyed on a specified schedule or as requested. The feature supports UKs that are stored on a KMIP server or internally stored UKs.
The AK is unique to each SED and ensures that OneFS never knows the DEK. If there is a drive theft from a PowerScale node, the data on the SED is useless because the UK, AK, and the DEK, are required to unlock the drive. If an SED is removed from a node, OneFS automatically deletes the AK. Conversely, when a new SED is added to a node, OneFS automatically assigns a new AK.
For Gen 5 Isilon nodes, the KMDB is stored on both compact flash drives in each node. For Gen 6 Isilon nodes, the KMDB is stored in the node’s NVRAM, and a copy is placed in the buddy node’s NVRAM. For Dell PowerEdge based nodes, the KMDB is stored in the trusted platform module (TPM). Using the KM and AKs ensures that the DEKs never leave the SED boundary, as required for FIPS compliance.
Note: The key manager uses a FIPS-validated crypto when the STIG hardening profile is applied to the cluster. For information about enabling the STIG hardening profile, see the STIG security profile section.
The KM and KMDB are entirely secure and cannot be compromised because they are not accessible by any CLI command or script. The KMDB only stores the local drives' AKs in Gen 5 nodes, and buddy node drives in Gen 6 nodes. On PowerEdge based nodes, the KMDB only stores the AKs of local drives. The KM also uses its encryption not to store the AKs in plain text.