NVMe storage and connectivity solutions are frequently deployed to satisfy the stringent performance and reliability requirements of industrial, media and AI applications designed to process large volumes of sensitive data. Securing this data from prying eyes, while protecting the privacy of end user and corporate customers alike is of critical importance. A such, disk encryption technology is quickly become an essential component of storage solutions designed to address these workflows.
HighPoint’s SafeStorage solution was developed to work in conjunction with state-of-the-art SED technology that has been widely adopted by mainstream NVMe devices and is based on the OPAL SSC TCG specifications. It is designed to protect data assets when physical drives are misplaced or stolen by preventing unauthorized access to stored data.
First introduced with our PCIe Gen4 SSD7580C 8-Channel U.2/U.3 NVMe RAID HBA, SafeStorage can be applied to both single-disk and RAID configurations at the disk level, and administered via our universal management and monitoring suites. And unlike software-based services which rely on CPU resources, SafeStorage initiates encryption at the drive level to minimize the performance impact on the host platform.
Unified & Streamlined RAID & Storage Encryption Solution
HighPoint SafeStorage is a unified NVMe Storage Encryption Solution developed to accommodate both large-scale RAID arrays and individually configured SSDs, and can be scaled across multiple HighPoint PCIe AICs connected to the host platform. RAID volumes are encrypted at the time of creation and will automatically activate each disk member’s self-encryption capabilities.
SafeStorage’s SED features are enabled at the hardware level, and require no unique driver or
standalone software application; everything is managed directly by HighPoint’s universal RAID Management and Monitoring suite. The interface will automatically recognize SafeStorage compatible controllers and provide a new toolset known collectively as Disk & Enclosure Security. The toolset handles all SED related features and settings including setting up disk encryption, managing encryption keys and managing security policies.
This streamlined lightweight approach to SED technology reduces complexity and minimizes the risk of software conflicts.
Securely Lockdown Crucial Data from Unauthorized Access
When Disk Security is enabled, your data is automatically locked down whenever the disk media is removed from the HighPoint storage or connectivity device.
The SED technology will assign unique identifiers, known as “Keys”, in the form of Passwords, to both the HighPoint device (PCIe AIC) and each hosted SSD. Keys are automatically generated when the Disk Security feature is activated and can be configured/modified by the administrator as required. This system ensures your data cannot be accessed unless the keys match.
Keys/Passwords are securely stored by the NVMe device and can be managed using HighPoint’s WebGUI and CLI management suites. Unless an Administrator changes a Key, disks/arrays can be accessed normally. However, Lockdown mode is enabled as soon as the disk is removed. Such disks cannot be simply moved to a separate HighPoint/Non-HighPoint Adapter or Enclosure for access. The “thief” would need to link the disk/array to the new HighPoint device and would need to enter the original Keys in order to do so.
Cryptographic Erasure
Changing or deleting encryption keys for SED capable disks will render all encrypted data indecipherable and thus, unrecoverable. SafeStorage allows administrators to delete and regenerate Keys (aka Passwords) as needed to ensure your encrypted data is always under lock and key. A few simple commands enable authorized administrators to immediately prep storage for resale, retirement or reuse.
The Cryptographic Erase command replaces the encryption Key inside each drive; this makes it impossible to ever decrypt data stored on these devices. When executed, data is rendered inaccessible and considered cryptographically erased. The drives can then be reset to an unowned state, and reused once a new encryption key is generated.
In addition, upon disabling the Disk Security feature, SafeStorage will automatically initiate the cryptographic erase command. The process is automated and takes only seconds to complete. Disk Security can be easily disabled at any time, using HighPoint’s WebGUI and CLI utilities.
Summary
SafeStorage’s innovative combination of TCG/OPAL compliant technology, scalable hardware-level encryption and a lightweight centralized management interface streamlines enables administrators to streamline the encryption process without degrading system performance or complicating workloads.
Learn More
Comments