Home > Storage > ObjectScale and ECS > Product Documentation > ECS: Overview and Architecture > Data-at-rest encryption (D@RE)
Compliance requirements often mandate the use of encryption to protect data written on disks. In ECS encryption can be enabled at the namespace and bucket levels. Key features of ECS D@RE include:
Note: FIPS 140-2 mode enforces the use of approved-only algorithms within D@RE; FIPS 140-2 compliance is only for the D@RE module, not the entire ECS product.
Gemalto SafeNet KeySecure will end of life on Dec 31, 2023. Refer to this External Communication for more details. ECS customers who are using KeySecure can migrate to CipherTrust Manager by opening a ticket with support.
ECS uses a key hierarchy to encrypt and decrypt data. The native key manager stores a private key common to all nodes to decrypt the primary key. With EKM configuration, the primary key is provided by the EKM. EKM provided keys reside in memory only on ECS. They are never stored in persistent storage within ECS.
In a geo-replicated environment, when a new ECS system joins an existing federation, the primary key is extracted using the public-private key of the existing system and encrypted using the new public-private key pair generated from the new system that joined the federation. From this point on, the primary key is global and known to both systems within the federation. When using EKM, all federated systems retrieve the primary key from the key management system.
ECS supports changing encryption keys. This can be done periodically to limit the amount of data protected by a specific set of Key Encryption Keys (KEK) or in response to a potential leak or compromise. A Rotation KEK Record is used with other parent keys to create virtual wrapping keys for protecting Data Encryption Keys (DEK) and namespace KEKs.
Rotation keys are natively generated or supplied and maintained by an EKM. ECS uses the current Rotation Key to create virtual wrapping keys to protect any DEK or KEK regardless of whether key management is done natively or externally.
During writes, ECS wraps the randomly generated DEK using a virtual wrapping key created using the bucket and active rotation key.
As part of the rotation of keys, ECS re-wraps all namespace KEK records with a new virtual primary KEK created from new rotation key, the associated secret context and the active primary key. This is done to protect access to data protected by the previous rotation keys.
Using an EKM affects the read/write path for encrypted objects. Rotation of keys allows for extra data protection by using virtual wrapping keys for DEKs and namespace KEKs. The virtual wrapping keys are not persisted and are derived from two independent hierarchies of persisted keys. With the use of EKM, then the rotation key is not stored in ECS and adds further to the security of data. We mainly add new KEK records and update active ids but never delete anything.
Additional points to consider regarding key rotation on ECS are:
See the latest ECS Security Configuration Guide for further information about D@RE, EKM, and key rotation.