Encryption

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1950 KB
Audience
anonymous
Part Number
MK-HCPCS008-11

Using the licensed DARE encryption feature, you can configure and manage either internal encryption, using a built-in HCP for cloud scale service, or external encryption, using a KMIP-compatible encryption server.

An administrator with appropriate permissions can:

  • Select and configure either internal or external encryption
  • Provide unseal keys to the internal KMS service as needed
  • Manage the external KMS connection
  • Initiate a rekey operation

Enabling either internal or external encryption requires both planning and configuration. The mode of encryption cannot be changed between internal and external, and once enabled encryption cannot be disabled.

Internal encryption

Internal encryption uses the Key-Management-Server (KMS) service to store and manage key encryption keys (KEKs). The KMS service generates a KEK for each storage component and stores them in a persistent vault maintained by the service. Enabling internal encryption generates an initial root token to establish the connection to the service, KEKs for each storage component, and a set of five unseal keys.

Important: To ensure access to the KEKs, it's best to scale the KMS service to at least three instances.

Each time the KMS service starts it uses the unseal keys to open the vault. If the KMS service goes down, it seals the vault, and to unseal the vault you must provide a quorum of at least three valid unseal keys. If HCP for cloud scale restarts, encryption and decryption functions pause until the KMS service is running and the vault is unsealed.

CAUTION:
If you can't provide a quorum of unseal keys, the vault remains sealed, so the KEKs are unavailable and encrypted objects on storage components can't be decrypted. To ensure encryption security, the best practice is to encrypt the unseal keys and store them separately with different trusted individuals.

External encryption

External encryption uses an external KMS to store and manage KEKs. HCP for cloud scale supports any KMS that supports the open standard Key Management Interoperability Protocol (KMIP) v1.2 (not recommended), v1.3, or greater. You can configure connections to one primary and up to three secondary KMS servers. HCP for cloud scale can obtain KEKs from and store new KEKs on a primary KMS server (read/write access), and can obtain KEKs from a secondary KMS server (read access).

Important: To ensure access to an external KMS, it's best to configure both a primary and at least one secondary KMS server.

Synchronization of data across multiple KMS servers is the responsibility of the KMS administrator and outside the scope of HCP for cloud scale operations.

If HCP for cloud scale restarts, encryption and decryption functions are unavailable until an external KMS server connection is re-established. HCP for cloud scale automatically attempts to re-connect to already configured KMS server connections. The KMS servers must be online.

After encryption is enabled

After either internal or external encryption is enabled on the system, users must turn encryption on for each bucket. Also, any objects placed in a bucket before encryption is enabled on the system and turned on for the bucket are not encrypted. To encrypt pre-existing objects once encryption is enabled and turned on, reload them.
Tip: If a user reports that objects are not being encrypted, verify that encryption is turned on for that bucket. If necessary, direct users to reload objects to encrypt them.