Home > Storage > PowerMax and VMAX > Storage Admin > Reliability, Availability, and Serviceability on PowerMax 2500 and 8500 Arrays > Data at Rest Encryption
Data at Rest Encryption (D@RE) protects data confidentiality by adding back-end encryption to the entire array. D@RE provides hardware-based, on-array, back-end encryption. Back-end encryption protects information from unauthorized access when drives are removed from the system.
All configured drives are encrypted, including data drives, spares, and drives with no provisioned volumes.
If D@RE is configured, security is enabled on the SED.
Encryption keys are kept on the drives as opposed to PowerMaxOS.
Keys can be rotated by service engagement.
D@RE incorporates RSA Embedded Key Manager for key management. With D@RE, keys are self-managed, and there is no need to replicate keys across volume snapshots or remote sites. RSA Embedded Key Manager provides a separate, unique Data Encryption Key (DEK) for each drive in the array, including spare drives.
By securing data on enterprise storage, D@RE ensures that the potential exposure of sensitive data on discarded, misplaced, or stolen media is reduced or eliminated. If the key used to encrypt the data is secured, encrypted data cannot be read. In addition to protecting against threats related to physical removal of media, media can readily be repurposed by destroying the encryption key used for securing the data previously stored on that media.
D@RE:
D@RE can also be deployed with external key managers using Key Management Interoperability Protocol (KMIP) that allows for a separation of key management from PowerMax arrays. KMIP is an industry standard that defines message formats for the manipulation of cryptographic keys on a key management server. External key manager provides support for consolidated key management and allows integration between a PowerMax array with an existing key management infrastructure.