Dell Data at Rest Encryption (D@RE) provides hardware-based, on-array, back-end encryption for PowerMax arrays. D@RE provides back-end encryption using IO modules that incorporate 256 AES-XTS data encryption and is FIPS 140-2 validated. The IO modules encrypt data as it is being written to the drives and decrypt the data as it is being read. All configured drives in the array are encrypted, including data and spare drives, using a unique Data Encryption Key (DEK).
D@RE can be deployed with either an embedded, set-it-and-forget-it key manager or with external key management.
With embedded key management, D@RE is integrated with Dell Key Trust Platform (KTP). Dell KTP establishes a pervasive and secure infrastructure for all key generation, distribution, and management capabilities required for D@RE.
The following figure shows the embedded key management architecture.
External key management uses OASIS Key Management Interoperability Protocol (KMIP). KMIP allows for separation of key management from PowerMax arrays. An external key manager provides external centralized and consolidated key storage and management and allows integration between PowerMax arrays and the existing key management infrastructure.
The following figure shows the external key management architecture.