Is your data safe? A deeper look at Datrium In-Flight and At-Rest AES-XTS-256 encryption

I am starting to discuss some of the features and design aspects that got me enthusiastic about Datrium tech. A feature that has been driving many interesting conversations with customers is the new Blanket Encryption. First, let’s obertewind a bit.

(If you only want to find out about the product features and skip my long-winded write-up just skip the bottom of the article.)


Gemalto’s Breach Level Index (BLI) tracks publicly disclosed breaches across the globe, measuring their severity via a multidimensional index based on factors including the number of compromised records, the source and the type of breach. In March 2017, Gemalto released the BLI findings revealing that 1,792 data breaches led to almost 1.4 billion data records being compromised worldwide during 2016, an increase of 86% compared to 2015.

These are mind-blowing numbers!

Most security breaches exploit human frailties, and CIOs need to educate their user populations on good security practices. That said, according to Gemalto’s research, only 4.2% of breaches were “Secure Breaches” where encryption was used, and the stolen data was rendered useless.

Folks, only 4.2%!


Protecting data ‘At-Rest’ has become a top priority for organizations. However, despite growing awareness, encryption of data (In-Flight) as it moves across the network is consistently overlooked. Nowadays In-Flight data is most vulnerable to perpetrators that have the ability to tap into the network connections given the widespread use of IP network protocols; security measures for data in storage come to nothing if In-Flight data is not properly guarded as well.


Blanket Encryption

Datrium’s encryption is an industry-first, providing software-based (no hardware dependencies) End-to-End encryption WITH Data Reduction. Datrium encryption covers ESX Host RAM Buffer, ESX Server SSDs, Data Nodes HDDs and SSDs, data In-Flight between hosts and data nodes, and also data node NVRAM encryption.

Because Datrium’s FE (FrontEnd client) runs as part of the hypervisor, Datrium is the only (…and please, correct me if I’m wrong) convergence solution that provides cluster-wide encryption domain for data In-Flight and At-Rest and is still able to provide the benefits of data reduction. Data is reduced, compressed and then encrypted as soon as it is created in the host RAM before it’s written to the host flash or transmitted to the data server fully encrypted. The design leverages resources on the ESX servers for most of the work and scale in line with the architecture.



While some app-based or OS-based encryption solutions offer an In-Flight encryption capability, they eliminate all data reduction optimizations (storage or transfer over WAN) as they randomize the blocks before they can be data-reduced.



Cryptographic Protocol

Datrium’s encryption uses FIPS (validated/approved) AES-XTS-256 military grade crypto algorithm and leverage Intel Intelligent Storage Acceleration Library (Intel ISA-L) with Intel AES new encryption instructions set (Intel AES-NI), that can provide a <5% performance hit at worst case scenario.Recognizing that software-defined-storage stacks use host CPU cycles to provide such services

Recognizing that software-defined-storage stacks use host CPU cycles to provide such services is important, as there can be performance implications when enabling data services.


  • AES – Advanced Encryption Standard specified in FIPS 197
  • FIPS – Federal Information Processing Standard
  • XTS-AES – Mode of Operation specified in IEEE Std. 1619-2007 and approved by SP800-38E with one additional requirement on the lengths of the data units.


FIPS 140-2 is a requirement to achieve compliance with the HIPAA standard to protect Healthcare data. Already mandated by the U.S. Department of Defense (DoD) for encryption, FIPS 140-2 is a robust security solution that reduces risk without increasing costs.

Datrium encryption satisfies regulatory requirements for government agencies, banking, financial, healthcare and other G2000 enterprise customers who consider data security products and solutions.


[click to enlarge]


Enabling or disabling encryption is done via CLI.

datastore encryption enable [--hide-password]
dvx-01>> datastore encryption enable
New data will be encrypted. Existing data may remain unencrypted. <NEW Startup mode is unlocked.>
IMPORTANT! Datrium cannot recover the encryption password. Losing this password will mean losing access to all data in the DVX! 
The password must be at least 8 characters long.
Encryption password : mypassword
Confirm password : mypassword
Enable encryption {yes|no} [no] : yes
Encryption enabled. New data will be encrypted.


Approved vs. Validated

The FIPS-validated mode provides acceptable performance, but it does impose some additional CPU load on Controllers, while FIPS-approved (or fast mode) provides <5% performance degradation, but that may not be considered FIPS-validated. Both modes have no significant impact on data reduction.

> datastore encryption set –fips-mode [approved|validated]


Cross-Cluster and Cross-Site Replication

Datrium implements native one-click SSL/TLS encryption to secure data replication traffic between clusters and datacenters. The session encryption is selective and may be enabled on a Protection Group basis. So you only encrypt replication for VMs you deem necessary – or just allow it for everything!

When replicating between clusters the source and destination DVX data nodes have different AES-XTS-256 encryption keys. The source is responsible for decrypting the data and encrypting the resulting data stream with an SSL/TLS session key. The destination DVX data node is responsible for decrypting the data stream with the SSL/TLS session key and encrypting the result with the destination’s AES-XTS-256 encryption method. This ensures that the AES-XTS-256 encryption used by a DVX cluster is kept within the DVX.



This release supports:

  • Instant enable/disable encryption
  • Encrypt data In-Use, In-Flight, and At-Rest at a cluster-wide and full-stack levels
  • Built-in Key Manager
    • Startup unlocked (password not required on startup)
    • Startup locked (password is required on startup)
    • Rotate passwords per security policy (New Tenant Encryption Key (TEK))
  • Instant Secure Erase disk(s) using Crypto Erase
  • Enable/disable encryption with live data
  • Convert clusters from secure to non-secure (and vice-versa)


Important Deployment Considerations

At current release, only new data is encrypted upon turning the feature on, but some old data may also be opportunistically encrypted during backend tasks, such as maintenance processes. Additionally, an external key manager is not supported in this first release.


Final Thoughts

Hackers have already breached internet-connected camera systems, smart TVs, and even baby monitors. It’s is dangerous to think that they aren’t already mining your organization’s data. Independent of the preferred security approach CIOs must take action before they are the next target. Robert Mueller, ex-FBI Director once said: “There are only two types of companies: those that have been hacked, and those that will be.”

This is all heavy and concerning stuff, so I thought I would end this blog post with something a little more humorous.


Find more about Datrium’s Blanked Encryption here.



This article was first published by Andre Leibovici (@andreleibovici) at


  1. The issue is not about the strength of encryption, the issue is we should focus on encrypting the data across it’s lifecycle not just In-Flight and At-Rest. Implementing E2EE will removes most of the issues mentioned in the reported study.

  2. Wael Aggan, we are in agreement.

Leave a Reply