iXsystems™ TrueNAS® has moved up a notch when it comes to encrypting data structures in the storage . In additional to supporting self encrypting disks (SEDs) and zpool encryption, version 12.0 added dataset and zvol encryption as well.
The world has become a dangerous place. The security hacks, the data leaks, the ransomware scourge have dominated the IT news in 2021, and we are only 3 months into the year. These cybersecurity threats are about to get worse and we have to be vigilant to deescalate the impacts of these threats. As such, TrueNAS® Enterprise has progressed forward to protect the data structures in its storage arrays, in addition to many other security features depicted below:
Key Management Interoperability Protocol (KMIP)
One of the prominent cybersecurity features in TrueNAS® Enterprise is KMIP support in version 12.0.
What is KMIP? KMIP is a client-server framework for encryption key management. It is a standard released in 2010 and governed by OASIS Open. OASIS stands for Organization for the Advancement of Structured Information Standards.
In a nutshell, IT devices and the data and information used in the ecosystems can be encrypted, and often “signed” with digital certificates. Identifications, authentications, permissions, authorizations, integrity, encryptions and many cybersecurity points are protected with public keys and symmetric keys, and others, pass phrases, digital fingerprints, and other formats of verification. These digital assets has to be secured, stored, shared, recycled, destroyed, exchanged and managed with a single system because each on its own, and with links and dependencies to others, could present a very complex and convoluted mix of proprietary communications, protocols and methods. Without a standardized way to ensure interoperability and exchange of information, the obfuscated ecosystem would probably look like this:
KMIP was proposed to end this complexity.
KMIP in TrueNAS
The simplest way is to think of KMIP Server as a Key Ring. The keys or the pass phrases used to secure the disks, the zpools and the datasets/zvols can be kept and managed by a KMIP server.
In the TrueNAS® environment, the client is the storage array. The Enterprise Key Manager or the “key ring” is the server. When unencrypted data is sent and store to the TrueNAS® storage, for example to the dataset via a Windows share, the data is encrypted. The generated key or pass phrases can either be stored locally or to the KMIP Enterprise Key Manager server.
Within the protocol communication process between the client (the storage array) and the server (the KMIP server), a unique and immutable identifier is created and provided from the server to the client, along with location of the stored key (known as a managed object) through a key value. This returned value in the response header from the KMIP server to the TrueNAS® client is encrypted, usually with a symmetric key, for extra level of protection.
The KMIP server can also be configured to provide a centralized, single source of encryption for all TrueNAS® systems in the network rather than having each TrueNAS® storage array performing the ZFS encryption individually. This is potent configuration when replicating encrypted ZFS datasets between different arrays to ensure protection for the data-in-flight as well as the data-at-rest scenarios.
Steps to set up the TrueNAS storage to integrate with the KMIP server are in the TrueNAS documentation.
A secured data foundation
Storage is the data foundation for every application that serves the business. It is the bedrock that serves data, and this has to be secured through encryption. Having proprietary and disparate security systems to manage the encryption keys, tokens, and digital certificates is complex and expensive, and lacks the interoperability in this open and extended digital world. KMIP is the best open standard key management system in the industry today.
TrueNAS® Enterprise integration and the support of KMIP together build the secure data foundation for the businesses.