Software Encryption
Contents
Overview
QuantaStor supports AES-NI accelerated software encryption and with an upcoming release (QuantaStor 5.11) hardware encryption will be supported for Opal/Ruby compliant SSD media. For software encryption QuantaStor uses the Linux based LUKS key management system.
Software vs Hardware Encryption
Software encryption leverages the Linux based LUKS key management system which is hardware independent so that all media types may be used. Hardware encryption offloads the encryption to the device itself which in turn offloads the CPU and boosts overall performance. Enabling software encryption typically only reduces performance of a given Storage Pool by 15% but it can be as high as 30% depending on the CPU and number of devices. In short, if you're using a version of QuantaStor that supports hardware encryption and your media is SED Opal/Ruby compliant then hardware encryption is the best option.
Creating Encrypted Pools / Using Software Encryption
Software Encryption must be applied at the time that the Storage Pool is created. This is because the underlying media itself is being encrypted so it cannot be applied after pool creation. To enable encryption simply select the Encryption tab when creating a pool and choose the (x) Enable Encryption option. After the pool is created you'll see a lock icon on the pool indicating that the pool is encrypted.
Passphrase Protection
Once you've selected to enable encryption, there's an additional option to apply a passphrase to the pool. If you apply a passphrase to the pool then the pool will not automatically start when the system starts up. To start the pool login to the QuantaStor WUI or use the QuantaStor CLI to start the pool with the passphrase you supplied when creating the pool. To change the passphrase you can remove the passphrase from the pool and then apply a new passphrase.
Pool Key Import/Export
It's important to get a backup of the keys and metadata for your pool so that in the event that you lose the boot drives of your QuantaStor system that you can recover and start the pool by re-importing the keys after a clean install of QuantaStor onto new boot media. To do those choose the Export Pool Keys option from the QuantaStor web UI after you create the pool and then store the key backup in a secure place.
Growing Encrypted Pools
Add media to the pool just the same as if it was not encrypted, QuantaStor will automatically encrypt the media before adding it to the pool.
High-Availability with Encrypted Pools
QuantaStor supported HA with encrypted pools, the only requirement is that you cannot apply a passphrase to the pool. With that exception HA encrypted pools operate all the same as an unencrypted pool.
KMIP Server Integration
With the upcoming release of QuantaStor 5.11, KMIP support will be introduced. KMIP is a standardized protocol for communication with key management servers. With this you'll be able to add a KMIP Profile into your QuantaStor server so that it can be selected when you create a pool. One can also take locally stored keys and put those into the KMIP server using Storage Pool Modify and then selecting a KMIP Profile.
FIPS 140-2 Certification
QuantaStor has received a FIPS 140-2 L1 certification from NIST on March 26th 2022. More information on the 'OSNEXUS Crypto Library' is available at the NIST web site here.
OSNEXUS Crypto Library FIPS 140-2 Non-proprietary Security Policy
The following security policy PDF document covers the internal details of the FIPS 140-2 mode of operation and is also available on the NIST web site.
NIST Consolidated FIPS 140-2 Certificate
The OSNEXUS FIPS 140-2 certificate is available on the NIST web site here:
