Data at Rest Encryption (D@RE) in PowerStore uses FIPS 140-2 validated Self-Encrypting Drives (SEDs) by respective drive vendors for primary storage (NVMe SSD, NVMe SCM, and SAS SSD). Starting with PowerStoreOS 2.1, the PowerStore 500 model is fully FIPS 140-2 compliant. Starting with PowerStoreOS 3.0, all newly shipped models above PowerStore 500 are also FIPS 140-2 compliant. For existing systems that are upgraded to PowerStoreOS 3.0, a procedure to upgrade the system to be FIPS 140-2 compliant is available.
Encryption is performed within each drive before the data is written to the media. This protects the data on the drive against theft or loss and attempts to read the drive directly by physically deconstructing the drive. The encryption also provides a means to erase information quickly and securely on a drive to ensure that the information is not recoverable.
Reading encrypted data requires the authentication key for the SED to unlock the drive. Only authenticated SEDs are unlocked and accessible. Once the drive is unlocked, the SED decrypts the encrypted data back to its original form. The lockbox keeps the keys to each drive in the appliance, which are each encrypted to keep sensitive data safe. We recommend that you download the generated keystore archive file to an external, secure location. The PowerStore appliance must contain all SEDs.
PowerStoreOS 3.0 supports the usage of external key management applications using the Key Management Interoperability Protocol (KMIP). External key managers for storage arrays provide extra protection in the event the array is stolen. If the external key server is not present to provide the relevant Key Encryption Key (KEK), the storage system cannot be powered on.