End-to-end efficient encryption combines Thales host encryption with PowerMax 2000/8000 back-end Data at Rest Encryption (D@RE) using industry-standard AES encryption technology. End-to-end efficient encryption protects data while taking advantage of PowerMax space-saving data reduction technology. Thales software encrypts and decrypts data that is written from the application host to the PowerMax array. PowerMax decrypts the data to process through the data reduction engine, and D@RE re-encrypts the data. Encryption from the host is set on a volume level. Not all volumes are required to participate. Encryption on the back end with D@RE encrypts all data, regardless of whether it is set for efficient encryption. 

PowerMax and Thales are integrated to provide an end-to-end encryption solution. PowerMax uses its existing D@RE solution to provide back-end encryption. Thales provides two external components for encryption at the application host:

• Data Security Manager (DSM)

• Provides centralized management of policies and keys 
• Communicates with the KMIP communication protocol that resides on the PowerMax MMCS
• Is deployed either as a virtual or hardware-based appliance

• Vormetric Transparent Encryption (VTE) 

• Host-based agent that encrypts user data before sending it to the array
• Coordinates with DSM for management of encryption keys

The following is a summary of the encryption process:

1. Thales VTE software encrypts data when written from the host application.
2. Encrypted data arrives at the PowerMax in system cache.
3. Data is decrypted using an additional installed I/O module.
4. The PowerMax array applies the data reduction process to the data.
5. The data is re-encrypted using back-end D@RE encryption before it is written to storage.

The following figure shows the end-to-end encryption architecture. 

Figure 15.    End-to-end efficient encryption