Encryption of Data at Rest
by Hu Yoshida on Feb 12, 2010
Late last night I got an email from Christopher Kusek asking about FICON Encryption of data at rest.
“Hey Hu, I was reading a post from 2008 whereby it was stated that there was a solution for data at rest encryption over FICON?
Can you provide a little insight into this, and whether this story is true and there infact is a FICON DAR encryption solution?”
I thought I would answer it in this blog since others may have a similar question.
Since V04 of the microcode on the USP V, we have the ability to install or field replace backend directors with encrypting backend directors. They have to be installed in pairs for redundancy. Our theory is that data at rest encryption should be done where it comes to rest, and that is behind the backend directors. With this approach we can encrypt any kind of disk, Flash, FC, or SATA and we can encrypt data from any supported front end director whether it is FC or FICON. So yes we can provide DAR encryption for FICON.
Hitachi does this with hardware so there is no performance impact. The power consumption is only 1.6 Watt hour per encrypting director and the heat dissipation is negligible. Unlike other encryption solutions like appliances or switch blades, there is no impact to the SAN and no additional rack space or cabling required. Since Key management or mis- management can be a major exposure for encrypted data, Hitachi has implement this feature such that very little human intervention is required.
To read more about this feature, you can link here to an Application Brief written by Eric Hibbard
Hu, my company has a client who’s quite concerned about protection of the keys in the hardware and potential access to those keys by HDS engineers support staff. What thoughts can you share on how I can assure the customer, that HDS engineers will not access the cryptographic keys, within the hardware during maintenance activities?