EMC announced new encryption features for PowerPath and Connectrix that uses RSA Key Manager for the Datacenter encryption key management. PowerPath supplies encryption support for disks and Connectrix supplies encryption for tape and disk library applications.
PowerPath, EMC’s family of host-based applications for multipathing and data migration now supports AES 128- and 256-bit encryption for disk data. Host based encryption like PowerPath protects data end-to-end as its being transmitted from the host to the storage and back again.
Currently PowerPath encryption supports EMC Symmetrix and CLARiiON storage arrays, and support is planned for other vendor’s storage as part of a phased release. The encryption feature is available on Windows and Solaris versions of PowerPath starting in May, and support for additional operating systems will follow. PowerPath encryption secures host data at the volume level, and does not change the size of the data on disk, i.e., it does not compress data, which provides for continued byte level addressing to encrypted data.
Deployment of EMC’s PowerPath host-based encryption will have very little storage performance (I/O throughput) impact, provided host CPU utilization is kept at reasonable levels prior to encryption. The recommended CPU idle time threshold is 15%. Encryption is performed at the kernel level both for performance and security reasons.
RSA Key Manager for the Datacenter creates and secures encryption keys and associates an object identifier with a host volume being encrypted. See below for more on RSA Key Manager.
Data backed up using PowerPath encryption is read from storage and decrypted before being fed to the backup software, which creates two considerations:
- Any data backed up is in the clear and therefore, unsecured.
- “LAN-free” backup products would need PowerPath encryption services on their servers plus access to RSA key management in order to backup encrypted data.
The data needs to be in the clear and unencrypted to be able to be restored incrementally or restored to a different LUN.
For tape and other data streaming applications like disk libraries, EMC has released Connectrix support for Cisco Storage Media Encryption (SME). Connectrix will support encrypting data streams for backup/restore purposes. EMC recommends RSA Key Manager for the Datacenter to manage keys used for encryption/decryption.
The original version only supports Cisco SME but Brocade SME will come out in a future release. Connectrix encryption has only been qualified to support EMC Networker and Veritas NetBackup backup software packages. Future versions will be released to support IBM TSM and CommVault.
RSA Key Manager for the Datacenter
RSA’s centralized key management offering is provided in a pre-imaged appliance form factor, configured to support database failover by trusted Oracle technology. The appliance is configured in redundant pairs for production environments to eliminate single points of failure. The RSA Key Manager Server appliance supports clustered operations for high availability, and the key database can be remotely replicated for additional protection, unattended restart, and disaster recovery of all encryption keys. The appliance supports other cryptographic systems in addition to PowerPath and Connectrix.
Data security never goes out of style. With this announcement EMC has placed a strong product in the host-based encryption space and future rollouts for their Brocade partner will complete their network encryption product line. The only thing missing is subsystem and device level encryption but we are certain that EMC is actively looking at these two solutions as well.
A PDF version of this is available atEMC 2008 April 08 Announces new encryption options for PowerPath and Connectrix
Silverton Consulting, Inc. is a Storage, Strategy & Systems consulting services company, based in the USA offering products and services to the data storage community