Datrium’s Blanket encryption is already an industry-first, providing software-based (without hardware dependencies) end-to-end encryption. Datrium’s client software runs as part of the hypervisor and is uniquely able to provide cluster-wide encryption domain with full data services, such as compression, de-duplication, and erasure coding.
The encryption covers ESXi, RedHat Enterprise Virtualization and CentOS KVM host RAM buffers, the host SSDs, the data nodes HDDs and SSDs, the data in-flight between hosts and data nodes, and also the data stored in data nodes NVRAM.
Protecting data-at-rest has become a top priority for organizations. However, despite growing awareness, encryption of data in-flight is consistently overlooked. Nowadays in-flight data is most vulnerable to perpetrators that can tap into the network connections given the widespread use of IP network protocols; security measures for data in storage come to nothing if in-flight data is not safeguarded as well.
Datrium’s encryption uses FIPS 140-2 AES-XTS-256 military grade crypto algorithm and leverage Intel Intelligent Storage Acceleration Library (Intel ISA-L) with Intel AES new encryption instructions set (Intel AES-NI), that can provide a <5% performance hit at the worst-case scenario. Recognizing that software-defined-storage stacks use host CPU cycles to deliver services it is essential that performance impact is minimized.
NIST and CMVP
Datrium is now certified by NIST (National Institute of Standards and Technology) and the Cryptographic Module Validation Program (CMVP). The CMVP validates cryptographic modules to Federal Information Processing Standards (FIPS)140-2, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The Federal Agencies accept the modules approved as conforming to FIPS 140-2. Learn more about it here on the NIST website.
With this certification, Datrium becomes the 1st and only converged or hyperconverged platform with a cryptographic module officially certified by NIST for FIPS140-2. Furthermore, a quick search on NIST website demonstrate all supported FIPS algorithms and also the extent of the test configurations, including x86, AIX and ARM platforms.
FIPS 140-2 is also required to achieve compliance with the HIPAA standard to protect Healthcare PHI data. Furthermore, Datrium encryption satisfies regulatory requirements for government agencies, banking, financial, and G2000 enterprise customers who consider data security solutions.
For more information and for the implementation details read the white-paper on Datrium Blanket encryption (here).
Update: I have only considered primary storage converged solutions for my article. Upon additional search on NIST website, I was able to find that Cohesity (secondary storage converged) is also FIPS 140-2 certified.
This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net.