CTE-Efficient Storage Enhanced Storage Arrays

CTE shares the encryption key associated with the LUN with a storage system that exports the LUN to a protected host. In this solution, the LUN is a device configured for CTE-Efficient Storage that can be guarded as an ES GuardPoint. When the device is guarded, the storage system and protected hosts coordinate operations for sharing the encryption key applied to the ES GuardPoint.

By sharing the key, the storage system decrypts the encrypted data streams that the protected host writes to the LUN, and then performs the data reduction process on the clear data before encrypting and storing the final encrypted data in the storage array system. The storage system does the reverse operations when the protected host reads data from Efficient Storage devices.

Storage Arrays Compatible with CTE-Efficient Storage

You can use CTE-Efficient Storage with FlashArray from Pure Storage

FlashArray

FlashArray from Pure Storage is enhanced with CTE-Efficient Storage capabilities and inter-operates with CTE to provide CTE-Efficient Storage on Linux. The Pure Storage system is a client of the CipherTrust Manager and shares the encryption keys protecting the LUNs exported from the storage system to the protected hosts registered with the same CipherTrust Manager.

See the EncryptReduce Installation Guide from Pure Storage for information on setting up interoperability with CTE.

Sharing Encryption Keys

CTE shares the encryption key for a LUN with the storage system using the KMIP protocol. In this solution, the CipherTrust Manager is the KMIP server, and the storage system is a KMIP client registered with the CipherTrust Manager. Any host accessing and protecting the LUNs from the storage system is a CTE managed host registered with the same CipherTrust Manager. The protected hosts register with the CipherTrust Manager using the register_host script executed on the protected hosts.

With the host and the storage system registered with the same CipherTrust Manager, the protected host continues enforcing policy and security rules on device and directory GuardPoints. The protected host stores an Efficient Storage Device Header, (ES Header) on each LUN configured as ES GuardPoint. The ES Header includes the UUID of the encryption key applied to the LUN and identifies the LUN as an ES GuardPoint to the storage array exporting the LUN. The storage array recognizes the ES Header on the LUN when the protected host writes the header, and then uses the UUID of the key from the header to retrieve the key attributes and material from the CipherTrust Manager (KMIP Server). This process enables the storage array and the protected host to share and apply the same key for encryption and decryption of data streams exchanged between them.

The hosts accessing a shared LUN must be protected hosts registered with the same CipherTrust Manager as the storage array.

When the LUN is permanently de-configured as an ES GuardPoint, the ES Header must be removed. The storage array also detects the removal of the ES Header from the LUN and de-configures the LUN as an CTE-Efficient Storage device. Both the protected host and the storage array stop encryption and decryption of data streams exchanged between hosts and the storage array.

Storage Array Registration

The storage array administrator creates a certificate for the storage array and communicates the certificate to the Administrator. The Administrator produces a corresponding certificate specific to the array which is given to the storage array administrator. The CipherTrust Manager and the storage array system register both certificates and uses them each time they establish a secured session.

See the EncryptReduce Installation Guide from Pure Storage for detailed instructions on registering the FlashArray as KMIP client with the with the CipherTrust Manager’s KMIP server.