Using the licensed DARE encryption feature, you can configure and manage either internal encryption, using a built-in HCP for cloud scale service, or external encryption, using a KMIP-compatible encryption server.
An administrator with appropriate permissions can:
- Select and configure either internal or external encryption
- Provide unseal keys to the internal KMS service as needed
- Manage the external KMS connection
- Initiate a rekey operation
Enabling either internal or external encryption requires both planning and configuration. The mode of encryption cannot be changed between internal and external, and once enabled encryption cannot be disabled.
Internal encryption
Internal encryption uses the Key-Management-Server (KMS) service to store and manage key encryption keys (KEKs). The KMS service generates a KEK for each storage component and stores them in a persistent vault maintained by the service. Enabling internal encryption generates an initial root token to establish the connection to the service, KEKs for each storage component, and a set of five unseal keys.
Each time the KMS service starts it uses the unseal keys to open the vault. If the KMS service goes down, it seals the vault, and to unseal the vault you must provide a quorum of at least three valid unseal keys. If HCP for cloud scale restarts, encryption and decryption functions pause until the KMS service is running and the vault is unsealed.
External encryption
External encryption uses an external KMS to store and manage KEKs. HCP for cloud scale supports any KMS that supports the open standard Key Management Interoperability Protocol (KMIP) v1.2 (not recommended), v1.3, or greater. You can configure connections to one primary and up to three secondary KMS servers. HCP for cloud scale can obtain KEKs from and store new KEKs on a primary KMS server (read/write access), and can obtain KEKs from a secondary KMS server (read access).
Synchronization of data across multiple KMS servers is the responsibility of the KMS administrator and outside the scope of HCP for cloud scale operations.
If HCP for cloud scale restarts, encryption and decryption functions are unavailable until an external KMS server connection is re-established. HCP for cloud scale automatically attempts to re-connect to already configured KMS server connections. The KMS servers must be online.