 |
Within a storage network, encryption of data may occur at different hardware levels. Array controller based encryption describes the encryption of data occurring at the disk array controller before being sent to the disk drives. This article will provide an overview of different implementation techniques to array controller based encryption. For cryptographic and encryption theory, see disk encryption theory.
The encryption of data can take place in many points in a storage network. The point of encryption may occur on the host computer, in the SAN infrastructure, the array controller or on each of the hard disks as shown on the diagram above. Each point of encryption has different merits and costs. Within the diagram, the key server components are also shown for each configuration of encryption. Designers of SANs and SAN components must take into consideration factors such as performance, deployment complexity, key server interoperability, strength of security, and cost when choosing where to implement encryption. But since the array controller is a natural central point of all data therefore encryption at this level is inherent and also reduces deployment complexity.
With different configurations of a hardware or software array controller, there are different types of solutions for this type of encryption. Each of these solutions can be built into existing infrastructures by replacing or upgrading certain components. Basic components include an encryption key server, key management client, and commonly an encryption unit which are all implemented into a storage network.
For an internal array controller configuration, the array controller is generally a PCI bus card situated inside the host computer. As shown in the diagram, the PCI array controller would contain an encryption unit where plaintext data is encrypted into ciphertext. This separate encryption unit is utilized to prevent and minimize performance reduction and maintain data throughput. Furthermore, the Key Management Client will generally be an additional service within the host computer applications where it will authenticate all keys retrieved from the Key Server. A major disadvantage to this type of implementation would be that encryption components are required to be integrated within each host computer and therefore is redundant on large networks with many host devices.
In the case of an external array controller setup, the array controller would be an independent hardware module connected to the network. Within the hardware array controller would be an Encryption unit for data encryption as well as a Key Management Client for authentication. Generally, there are few hardware array controllers to many host devices and storage disks. Therefore, it reduces deployment complexity to implement into fewer hardware components. Moreover, the lifecycle of an array controller is generally much longer than host computers and storage disks, therefore the encryption implementation will not need to be reimplemented as often as if encryption was done at another point in the storage network.
In an external array controller, the encryption unit can either be placed either on the front-end side or the back-end side of the array controller. There are different advantages and disadvantages in placing the encryption unit either on the front-end side or the back-end side:
| Advantages | Disadvantages | |
|---|---|---|
| Front-end side | All data is first encrypted before it moves along the array controller, therefore data is encrypted before sending it through the replication link and or stored in internal array controller cache. | Since data is encrypted before it moves along the array controller, data de-duplication and data compression cannot be done when sending data through replication link. Therefore, huge costs can be incurred when sending huge amounts of data through the replication link. |
| Back-end side | Since all data is encrypted before leaving the array controller, data de-duplication and data compression can be done and therefore may save costs since only compressed and unique data is sent through the replication link. | Sensitive data may be compromised when sending through the replication link as well as cached data in the array controller compromised. |
The placement of the encryption unit may highly impact the secureness of your controller based encryption implementation. Therefore, this issue must be taken account for when designing your implementation to mitigate all security risks.
For the software array controller encryption, a software array controller driver directs data into individual host bus adapters. In the adjacent diagram, there are multiple host bus adapters with hardware encryption units used for better performance requirements. In contrast, this type of encryption can be implemented with only 1 host bus adapter connected to a network of multiple hard drives and would still function. Performance will definitely be reduced since there will only be one encryption unit processing data. Key management will be done much like the internal array controller encryption mentioned before with the Key Management Client implemented as a service within the Host Computer.
In the context of an operating system, a device driver is a computer program that operates or controls a particular type of device that is attached to a computer or automaton. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used.
Small Computer System Interface is a set of standards for physically connecting and transferring data between computers and peripheral devices, best known for its use with storage devices such as hard disk drives. SCSI was introduced in the 1980s and has seen widespread use on servers and high-end workstations, with new SCSI standards being published as recently as SAS-4 in 2017.
Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message.
In computing, a file server is a computer attached to a network that provides a location for shared disk access, i.e. storage of computer files that can be accessed by workstations within a computer network. The term server highlights the role of the machine in the traditional client–server scheme, where the clients are the workstations using the storage. A file server does not normally perform computational tasks or run programs on behalf of its client workstations.
RAID is a data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for the purposes of data redundancy, performance improvement, or both. This is in contrast to the previous concept of highly reliable mainframe disk drives referred to as "single large expensive disk" (SLED).
Internet Small Computer Systems Interface or iSCSI is an Internet Protocol-based storage networking standard for linking data storage facilities. iSCSI provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI facilitates data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.
A disk controller is a controller circuit that enables a CPU to communicate with a hard disk, floppy disk or other kind of disk drive. It also provides an interface between the disk drive and the bus connecting it to the rest of the system.
In computer hardware a host controller, host adapter or host bus adapter (HBA) connects a computer system bus which acts as the host system to other network and storage devices. The terms are primarily used to refer to devices for connecting SCSI, SAS, NVMe, Fibre Channel and SATA devices. Devices for connecting to FireWire, USB and other devices may also be called host controllers or host adapters.
Network-attached storage (NAS) is a file-level computer data storage server connected to a computer network providing data access to a heterogeneous group of clients. The term "NAS" can refer to both the technology and systems involved, or a specialized device built for such functionality.
A disk array controller is a device that manages the physical disk drives and presents them to the computer as logical units. It almost always implements hardware RAID, thus it is sometimes referred to as RAID controller. It also often provides additional disk cache.
TCP offload engine (TOE) is a technology used in some network interface cards (NIC) to offload processing of the entire TCP/IP stack to the network controller. It is primarily used with high-speed network interfaces, such as gigabit Ethernet and 10 Gigabit Ethernet, where processing overhead of the network stack becomes significant. TOEs are often used as a way to reduce the overhead associated with Internet Protocol (IP) storage protocols such as iSCSI and Network File System (NFS).
A NetApp FAS is a computer storage product by NetApp running the ONTAP operating system; the terms ONTAP, AFF, ASA, FAS are often used as synonyms. "Filer" is also used as a synonym although this is not an official name. There are three types of FAS systems: Hybrid, All-Flash, and All SAN Array:
The IBM SAN Volume Controller (SVC) is a block storage virtualization appliance that belongs to the IBM System Storage product family. SVC implements an indirection, or "virtualization", layer in a Fibre Channel storage area network (SAN).
In computer science, storage virtualization is "the process of presenting a logical view of the physical storage resources to" a host computer system, "treating all storage media in the enterprise as a single pool of storage."
An adapter in regard to computing can be either a hardware component (device) or software that allows two or more incompatible devices to be linked together for the purpose of transmitting and receiving data. Given an input, an adapter alters it in order to provide a compatible connection between the components of a system. Both software and hardware adapters are used in many different devices such as mobile phones, personal computers, servers and telecommunications networks for a wide range of purposes. Some adapters are built into devices, while the others can be installed on a computer's motherboard or connected as external devices.
Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.
In computing, virtualization or virtualisation in British English is the act of creating a virtual version of something at the same abstraction level, including virtual computer hardware platforms, storage devices, and computer network resources.
A storage area network (SAN) or storage network is a computer network which provides access to consolidated, block-level data storage. SANs are primarily used to access data storage devices, such as disk arrays and tape libraries from servers so that the devices appear to the operating system as direct-attached storage. A SAN typically is a dedicated network of storage devices not accessible through the local area network (LAN).
Software-defined storage (SDS) is a marketing term for computer data storage software for policy-based provisioning and management of data storage independent of the underlying hardware. Software-defined storage typically includes a form of storage virtualization to separate the storage hardware from the software that manages it. The software enabling a software-defined storage environment may also provide policy management for features such as data deduplication, replication, thin provisioning, snapshots and backup.
Enterprise Storage OS, also known as ESOS, is a Linux distribution that serves as a block-level storage server in a storage area network (SAN). ESOS is composed of open-source software projects that are required for a Linux distribution and several proprietary build and install time options. The SCST project is the core component of ESOS; it provides the back-end storage functionality.