At rest encryption with a SAN?

I would like to make sure at-rest encryption is done in one place and correctly. If there's shared storage, that seems like the right place rather than DAS.

Mainly I'd like to cover the case of drives being recovered without keys and the keys be required when the SAN boots (should be a rare event to not be a pain but also cover the case of someone stealing the whole kit and caboodle).

To attach to the SAN you need iSCSI (with credentials) or be on the FC switch.

This seems like it would cover database and NAS cases.

What's right or wrong with this?

Solution 1:

Certain models of Storage Subsystems support full disk encryption, allowing your data to be encrypted while at rest on disks. The encryption keys are either stored on the subsystem controllers or an external central store.

The ones I'm familiar with are from IBM - the DS5000 / DS8000 series. The DS5000 controllers store individual security keys for each drive - one would need to remove the entire controller and drives in order to gain access to the data. Probably not something most companies should be worried about in a risk analysis.

Beyond that, the DS8000 architecture uses an external keyserver to store all the drive encryption keys. This model gives what you ask for - you can set it up to require a password to unlock the central master keystore, but storage subsystems / tape libraries that use it can authenticate and gain access to their encryption keys without intervention.

You can read more about the IBM technology here.