Nimble Storage SmartSecure Software-Based Data Encryption – Live Demonstration

Welcome to the Nimble Storage SmartSecure
software-based encryption webinar. My name is Bill Roth. I’m the tech marketing lead on our encryption
feature called SmartSecure. The agenda is relatively simple. What is SmartSecure software-based encryption? Why did Nimble Storage develop this feature? We’re going to take a little bit of a deep
dive look at some technical data points on what goes on behind the scenes under the covers. We’re going to do a live product demonstration
so you can see what it looks like to admin and manage SmartSecure. I’m going to finish up with some best practices. Let’s look at the what and why of Smart
Secure software-based encryption. So, what it essentially does is ensure the
secrecy of data at rest. It uses the AE-256-XTS cipher for cryptographic
protection of data, and it’s specifically for block-based data. One thing that’s extremely important for
anybody looking at a security solution involving encryption is the FIPS certification. The Nimble Storage array is FIPS 140-2 level
1 certified. So, that’s a government program and that
certification meets the compliance level of many organizations. It protects against various threat vectors
so one of theft of the entire storage array. Um, you’re shipping an array to an affiliate
site, a sister site, or you’re moving your datacenter. SmartSecure gives you the ability to shut
down the array and make it such that it cannot be brought back up with volumes online without
a passphrase. So, it’s very secure. It also protects against the theft of individual
components, hard disk drives, or solid state drives. Major bullet number three. Transparent host access to encrypted volumes. What this means is that the host connected
to a Nimble array volume has no idea whether that volume is encrypted or not. So, there’s no host site software and there’s
nothing that you need to do as an administrator to present the storage to the Nimble array
that’s any different than you would normally do for ice cozy or fiber channel connections. The same is going to be true for VMFS volumes. So, in essence the data get encrypted when
it’s written to the array. The data is decrypted at read time. Why would a customer want to deploy this? Well, we all have our reasons and this is
a look at some of the possible reasons, so theft of the array, disposal of drives does
not expose your sensitive data. You could have a data center security breach
where the bad guys come in and steal something out of your datacenter. Ok, this protects against that. It also, as stated earlier, protects against
shipping or transporting the array to a new site location. It also assists with any RMA, Return Merchandise
Authorization over a failed component. Say it was a disk drive or a solid-state drive. The data on there is not going to be retrievable. It also provides a unique ability to irrecoverably
shred data at the volume level. So, we’ll get into some of the mechanics
behind the scenes in a moment, but each volume that’s encrypted has a unique volume encryption
key. When the volume is deleted the key for that
volume is marked for deletion. So even though the data on the array may not
have been overwritten. The key gets deleted and that data cannot
be decrypted at that point in time. So, it’s a new form of data shredding, similar
to what you were going to do to destroy a physical piece of media into millions of tiny
pieces. In this case, the key itself gets deleted. It meets the requirements for data to be encrypted
on this for government compliance, customer use cases, and things like that. It also ensures data secrecy on replication
streams over a wide area networks. So, if your snapshotting Nimble volumes as
stand-alone volumes or volume collections, and you’re replicating those and those volumes
are encrypted, you have to have the encryption feature enabled on the destination array,
and the data will be encrypted in flight. So, it’s very secure. Some key data points, and I think these are
really important, there’s no additional cost for this feature. It follows the familiar Nimble Storage storage
licensing and pricing model. So, in order to do this there’s no uptick
in any fee that you pay. It’s just there. It’s available. It comes with Nimble OS version 2.3 and higher. It’s a simple, non-disruptive software upgrade. For the record, anybody who’s currently
running an earlier version of the Nimble operating system, we expect Nimble OS version 2.3 to
be available today as a release candidate today or later this week, heading to GA in
the future. It’s supported on all Nimble arrays. The thing to be aware of here though is that
it does leverage the Intel AES-NI instruction set, and this CPU feature is only available
on more recent Nimble arrays. So, this would include the 235, 300, 500,
and 700 model CSC Nimble arrays. You can still use the feature on older arrays
such as the 460 or something like that, but you may see a performance impact because those
arrays cannot leverage the new Intel AES-NI instruction set, which really makes this a
performance demon. It screams. It supports the encryption of both of the
data on both hard disk and solid state drives. You don’t have a choice here. If you’re encrypting a volume the data is
encrypted regardless of where it resides on a Nimble array. That’s a great question. That’s a great point though. So, as the data comes into the array, there’s
not really a point where the data’s vulnerable, is there? No, there is no point of vulnerability. As soon as the data enters the array, it’s
encrypted. And remember, anything that’s in SSD is
actually read off of disk, so the data in SSD is also encrypted. There’s no exposure that somebody’s going
to steal SSDs and have access to your data. Another key point here is that Nimble preserves
the compression feature. The data is compressed prior to encryption
so all that valuable space savings that you get out of Nimble inline compression is still
there. None of this goes away. What about when you send the data over the
wire to a replication partner? Yeah, so when the data is sent over the wire
to a replication partner, it is just the compressed unique encrypted blocks after the volume is
initially replicated. So, replication stays extremely when efficient. We’ve got a question from Ravi here Bill. Ok. You’d like to know is there a compression
hit for data on flash, or does the encryption take place on buffer flash? So, the encryption takes place before the
data is written to any media, disk or flash, so there’s no impact. We have seen no impact to space utilization
in our lab-based testing. I hope that answers the question and thank
you for flagging that Neal. The final point is that this is extremely
easy to administer and manage. We’re going to see that in the live demo
and a lot of people are probably going to say is that all there is to it? And yes, literally that’s all there is to
it. We’ll see that live. I wanted to cover over some technical data
points and try to move past some of the marketing if we could. How does all this work? How is the master key generated? And how do we protect the master key? So, master key generation occurs when we initialize
to feature. Essentially the feature is initialized when
we create a new passphrase and enter it. This is 8-64 printable ASCII characters. What happens next is we feed that pass phase
through a SHA 256 has algorithm. In parallel, we see the OpenSSL random number
generator with 256 bits of data. At that point we get a resulting master key. So the master key’s going to be unique based
on the way it’s generated from the OpenSSL random number generator. At that point, what we do is we take that
master key and we encrypt it using the hash from the passphrase and the cipher is AES-256-KeyWrap,
and we end up with an encrypted master key. Here are some technical points about this. And we’re going to look at this in the live
demo. The passphrase in particular, in secure mode. Now we have two default modes that we look
at here and one of them is in secure mode. And if you were transporting an array across
country, you would probably want to configure the secure mode so that when you shut it down,
the recipient of that array needs to reenter the passphrase before any encrypted volumes
will come online, keeping it secure. So, in secure mode the passphrase has to be
entered after an array restart or power on. The encrypted volumes remain in an offline
state and cannot be accessed. So, even if your array is stolen it’s safe. The key point here is if the passphrase is
not available, the data in encrypted volumes is lost forever. That’s a real important point here Bill. It is Neil, and we’re going to hit on that
a little bit more. There’s also the available mode where most
of the time you could reboot the machine. You could shut the machine off, power the
machine on the array, and the array is going to come up. And what’s going to happen is that all the
encrypted volumes will be online. Ok, there’s a couple of scenarios we know
of where this is not the case and we’re going to cover them here. We don’t want anybody to shoot themselves
in the foot if the controllers are being swapped during an upgrade process. For instance, you’re running a CS 300 and
you’re upgrading to a CS 500 to get more performance. You’re going to need that passphrase. There’s also a rare scenario that we have
never encountered in the lab, but if you had an NV RAM loss situation. For instance, the array was powered off and
the supercapacitor supplying power to NV RAM went bad on you, you would have to enter the
passphrase when you power on the array. So, the point we’re trying to make is really
keep track of that passphrase. Maintain it. It’s never stored on disk or SSD within
the array. It’s not transmitted to Nimble Storage tech
support. It’s not copied in the email alerts, SNMP,
or Syslog. You as the user of the system, the administrator,
it is your role to keep a copy of this passphrase. Yeah, we’re making a big deal out of this
and you’ll see why. Volume keys, so these are the keys that are
used on a port pro vol basis. There is not one key for the entire system. The encrypted state of volume is defined at
volume creation time. There is no ability to take an encrypted volume
and convert it to an unencrypted volume and vice versa. There is no ability to take an existing unencrypted
volume and convert it to a new encrypted volume. So, what you’ve got to do there is you’ve
got to create the new volume and the desired state, either encrypted or not encrypted,
and you’ve got to manually copy data from an existing volume over to the new volume. Ok. If you wanted to do this with VMWare Vmotion,
you could automate a large part of it, but it’s not automatic. And there’s no ability to change the encrypted
state of an evolving volume once it’s created. New volumes each get a new volume encryption
key. There are 256 bits in length, and they’re
encrypted by the master key using AES 256 key wrap, that’s the cipher. And they’re stored in a key table. We’re going to take a look at this in a
different graphic in just a moment. One important thing to think about is that
when we clone an encrypted volume, that the clones are also encrypted, but the clones
get a new volume key. And any new data written to the clone or any
data updated on the clone volume is going to use the new volume key for the clone volume,
but that the clone volume also has access to the power volumes key so that it can read
data. Ok, just a little bit detailed there. Sometimes folks want to know this level of
granularity. What we’re going to do here is we’re going
to look at volume key data retrieval. Ok, so, this is a representative example,
very simplified of a key table stored internal to the Nimble System. We’ve got a few volume keys. They’re all 256 bit and they’re encrypted
with AES 256 key wrap. The volume key is unencrypted with the clear
text master key, so the master key is stored encrypted, the master key is stored encrypted,
the passphrase is used to decrypt the master key. I get that clear text master key. It’s being held in a memory in process. And what I can do is I can use that to decrypt
a given volume key. The cleartext volume key is used to encrypt
all writes to the volume and decrypt reads from the volume. The important thing to keep in mind here is
that the host has no idea that this volume is encrypted. At this point I’d like to move to a live
demonstration and give everyone an idea of how easy and convenient this is to use. And this is the home screen. As soon as this populates with some performance
data, we’ll go ahead and we’ll take a look an enabling encryption. So, we come to the admin pull down menu. We come down to security, and we select the
encryption submenu. This brings up the encryption frame. And right now, encryption is sitting in an
uninitialized state. So, what I need to do to enable the feature
is to provide a passphrase. And remember, this is a 8 to 64 characters. One of the things we wanted to cover here
was we can show typing, which may be a good idea if you’re typing in a lot of characters
to make sure they’re the same or are having trouble getting it entered. Or we can deselect the show typing box to
obscure the passphrase. You don’t want anybody in the data center
knowing this passphrase is. So, we’ve gone ahead, input our passphrase. Now this is one of the things that we talked
about earlier in the presentation. We have the secure mode which requires entry
of the passphrase after a reboot or power on to access the encrypted volumes in order
for them to be in an online state. Or, we have the available. And when I click available, available means
is I can reboot this array or I can power on this array and I will not be required to
enter the passphrase. It’s more convenient and it’s something
you may want to consider based on your own local processes and procedures. If you’ve got badge locked doors to your
datacenter, armed guards, things like that, right. So, we’re going to select the available
mode. We do get this warning dialog, not requiring
to enter passphrase on system startup lessens the security of encrypted volumes. I acknowledge that by clicking OK. The next field is the default setting and
we’ll leave that at default enable encryption on newly created volumes. And the cipher is AES-256-XTS. Now the scope impacts the default setting
and we’ll cover this more. What I’m going to do is change this to allow
over riding the default setting. By default, all volumes are encrypted and
that setting is going to be enforced. Ok. Allow overriding allows me to say I may want
some volumes that are encrypted, and some volumes that aren’t encrypted. Right. So, everybody’s got a variety of data types
in their data center. It’s your decision what you want to encrypt,
what you don’t want to encrypt. The point I’m trying to make is that the
Nimble implementation of data encryption at rest allows you to selectively decide, do
I want to encrypt the entire array? Do I only want to encrypt specific volumes? So, it’s your call. So, we’re going to go with these settings. We’ll click save, and we get another warning
dialogue. Do not forget the passphrase. Ok. Lost passphrases cannot be retrieved will
result in permanent data loss. Again, you accept that, you move forward. Ok. So, what we’ve done is enabled the feature. And what we’re going to do now is we’re
going to go ahead and create a volume and show you what all this means. So, we’ll go to manage volumes. We will say we want a new volume. For the sake of this demonstration we’ll
name it AAA. That will appear at the top of our list alphabetically. Now you can see that enable encryption is
selected by default. The fact that we gave it the ability to override
the default setting rather than enforce to default settings means I could change this. Ok. That gives you the ability to create encrypted
volumes and not encrypted volumes. We’ll go ahead and finish out creation of
this volume and we’ll go to VDI 1000-12 as the initiator group. We’ll scroll down and give it a volume size. Let’s say 128 gig, for example. We’ll click next, no zero there. Type-o. You can tell, this is live. We’re going to say let’s not protect this
volume. Ok. This is not necessarily a Nimble Protection
Manager demonstration. And we’ll click finish at this point. And we should have our new volume. If we select that volume and get some more
information about it, we can see it right here in the upper left general window. It says data encryption AES-256-XTS. Ok, so we know we’ve created an encrypted
volume. Ok, so there’s no ability to change this. We covered this already in the presentation. There is no ability to change the encrypted
state of a volume after it is created right. I can click edit, right. And there’s nothing here that says change
this into an unencrypted volume. You can’t do it. Ok. So, we’re just trying to drive that point
home. When you create a volume, if it’s encrypted
it stays encrypted for its entire life. If you create one that’s not encrypted,
it stays not encrypted for its entire life. Ok. So, the command is encrypt key dash dash info. So, it says that the feature is initialized
and active. If we wanted to look at the volume we just
created and see whether it was encrypted or not, we can do the VOL command and we can
see down here that it is encrypted. Ok. And one of the things that I wanted to highlight
for everybody is that there is no automated way to say show me a list of all the encrypted
volumes. At this point in time, we’ve decided not
to implement that as a command. However, you could potentially get a list
of all your volumes and parse through them and come up with the resultant list of encrypted
volumes. If you’ve got a 800 hundred volumes on a
system and 300 are encrypted, it’s not an easy process to figure that out. But the thinking on our end was we don’t
want the bad guys to figure that out either. This is about security. So, right now I’m going to simulate a lost
passphrase. And you may ask why we’re hitting on this
passphrase so heavily. And the reason is because during our beta
we had a customer that was using a tool to store the passphrase and they were using all
64 characters out of the possible 64. And the tool that they used to maintain the
passphrase was only storing the first 50 characters. It’s something you don’t want to discover
the hard way. So, let’s say I forgot my passphrase, right,
and I type in the current passphrase which I don’t know, so I’m typing in a bogus
one. Anything I type in, the new passphrase will
not take effect. And I’m kind of in a bad place. I’m trying to get this back. Ok, changing passphrase. Failed to authenticate master key passphrase. Ok. And remember, the passphrase is used to encrypt
the master key. So, I’m kind of in a bad place right now. What I would have to do if this was a real
production loss of the passphrase is I’d have to go back, and I’d have to go to this
volume unencrypted and copy the data from this volume named AAA over to the unencrypted
volume and then delete it. What would you suggest is the best way to
do that? Well, we’re going to run through the best
way to do that. So, if it was a Windows volume, I would connect
a new unencrypted volume to the same Windows hosts and I would manually copy the data over. Likewise, if it was a Linux host, I would
want the source and destination volumes on that host to copy the data over. With VMware, you could consider doing V motions
to move to a new data store. So, it’s not pretty, but it is possible. If I try to delete the master key it comes
up and says I can’t because you’ve got encrypted volumes, so we’re not going to
allow you pull the rug from underneath yourselves so to speak. After I’ve gone ahead, I’ve copied the
data from my encrypted volume to a non-encrypted volume, what I want to do is I want to set
the encrypted volume offline. I’ve already copied the data to a new unencrypted
volume. I delete it, at which point we have no encrypted
volumes, or don’t believe we do. And we’ll try to delete master again, and
we delete the master key. This returns the encryption feature to an
uninitialized state. So, at this point, and I need to refresh the
display here. When this comes back, the feature is not initialized
and you have an opportunity to set a new passphrase. And for the record, the single customer we
had experienced this phenomenon because their past free storage utility would not store
more than 50 characters, they did not lose any data. We got on the phone with them late one night
and had some email conversations, and they were able to pull up out of this bad, bad
experience. So, we took that information, we updated some
of our collateral and documentation to make sure that this would never happen to anybody
else. Now, you can shoot yourself in the foot if
you really want to, but we’re going to try to help you avoid that. So, that’s our live component, and as you
can see there’s not a lot to admining this. Sounds like it’s pretty easy to do though. Yeah, it’s very simple to admin. And again, the best practices begin with don’t
lose the passphrase. You lose the passphrase, you’re in a bad
place. Just to reiterate, Nimble Support does NOT
HAVE your passphrase. That is correct. Nimble support does not have your passphrase. It is not sent to support, transmitted to
support. It does not show up in any email messages,
Syslog, or any place. It is secure. This is part of the FIPS 140-2 certification,
right. Documentation. So, you’re probably going to, Bill ran through
this really fast, how can I get more information. So, that there’s this paper that we’ve
created called the Nimble Storage Security Technical Notes: SmartSecure Software-Based
Encryption. And I wanted to show you two locations where
this is available, so if you just go to, right. We’ll let this refresh. You’ll get all the current messaging from
Nimble. So, if you go to the resources pull down menu
and select Technical Papers, you can see right on top SmartSecure Software-Based Encryption. This is one of our newer papers and we placed
it there to coincide with the timing of this webinar to make life easy for everybody that
wants additional information. Now, this will ask you for some additional
information, so that we can track who’s downloading the paper and make sure that if
you have any questions of follow up that we can get a hold of you and we know who you
are. Now, if you are an existing customer an existing
array user you already know about Nimble InfoSight. So InfoSight, is this really cool cloud-based
area where you can get all kinds of performance and utilization statistics. The other thing it’s got, it’s got this
download cloud on it. And if you click Best Practices and then scroll
down, we get to the technical papers in lab reports and you can get the same paper here. Ok. So, we’re making it extremely easy for customers
to get this paper. I’ve actually got an example of the paper
up and one of the things that we’re looking at here with some of the setup options, and
if they’re not entirely clear we’ve got the default setting of enabling encryption
and allow override. That’s the one we looked at in our quick
demo. There’s a total of four combinations here,
and you could force the setting to make sure every volume was encrypted if that’s what
your site procedure dictated. You could disable encryption by default, but
allow override creation volume time to create an encrypted volume. And you can just disable encryption altogether. We’ve got the feature deployed, we don’t
want to use it yet. We’ve initialized it with the passphrase
and we’ve done nothing more than that. So, that’s one interesting piece of the
technical note that we’ve created for you. There’s another interesting part of the
technical note where we talk about some of the permissions, right. And Nimble Storage does have low-based administration
privileges and we’ve created a table for that where we talk about what role can do
what with regard to the different commands you can execute within the scope of this feature,
right. So the administrator has complete rights. The guest has no rights. Power user and operator are somewhere in between. Ok. So, if you look here the important one is
Enable Master. So, this would be a reboot in the secure access
mode An operator, power user or the administrator can enter the passphrase to put those encrypted
volumes online for you. The nice thing Bill is there’s a couple
administrators. If another person logs on, then they can’t
decrypt the volume. That’s right. That’s right. So, it kind of helps you to ensure that encrypted
volumes stay encrypted, right. You don’t want to have to come back and
go how did that get unencrypted. And it won’t happen on the Nimble arrays. The other great piece of documentation here
is the admin guide, which you can also download from InfoSight. If you’re an existing customer, if you’re
not a customer who wants access to that, contact your Nimble account team reseller or bar and
they’ll help you get more information on the feature. It’s extremely important feature. That’s all we had for everyone today. And as you can see, the encryption feature,
it’s very technical, very complex under the covers, but the Nimble engineering team
has done an exceptional job in implementing this feature so that it is extremely easy
to use, easy to add admin and easy to manage. Ok. Thanks everyone for attending today’s session.

Leave a Reply

Your email address will not be published. Required fields are marked *