Understanding Encryption

To provide security against a situation where disks or a storage enclosure is physically stolen or disposed of inappropriately, ThinkAgile CP storage provides full disk encryption-at-rest capability.

Storage Encryption Overview

Encryption in ThinkAgile CP is a full disk encryption technology that is done in kernel space. Taking advantage of AES-NI hardware acceleration, the encryption method imposes negligible performance overhead and is transparent to the user. The encryption mode we use is aes-xts-plain64:sha256 with 512-bit keys. The encryption layer is done at the lowest level of our storage stack and each disk is encrypted individually. Handling the encryption at the software layer gives us the flexibility to programmatically and securely handle multiple modes of key management as well as source a wider variety of enterprise SSDs at the high capacity we require.

Key Management Security Modes

Encryption is only as strong as the encryption key management. We provide two key management solutions; the default using the Trusted Platform Module (TPM) or on a centralized remote key management (KMIP) server. New storage is manufactured to be encrypted with a default password and configured in TPM Security Mode. Our implementation has been designed to match the security profile put forth by the Trusted Computing Group

TPM Security Mode (Local Key Management)

The encrypted password to unlock the drives is stored in hardware within the secured TPM on the storage unit itself. TPM Security Mode provides security in the case a drive is stolen or disposed of incorrectly. Drives that are separated from the storage unit for any reason will be inaccessible and protected.

You can freely change the encryption password from the default set at manufacturing time to one of your choosing without any loss of data. For security purposes, the old password is required; and, once changed, the new password is secured within the TPM

KMIP Security Mode (Remote Key Management)

Key Management Interoperability Protocol (KMIP) provides secure centralized remote key management. It is a way to provide FIPS compliance to our product. KMIP protocol uses TCP port number 5696 by default.

Unlike TPM Security Mode where the password is stored on the storage unit itself, KMIP will securely store the password on a remote server managed by the customer through an encrypted channel. The KMIP Security Mode provides an added layer of security in that, even if the enclosure and drives are stolen or misplaced, the data remains encrypted as the password is stored externally.

ThinkAgile CP integrates with both Vormetric and Safenet 3rd party commercial KMIP solutions. For more information, see Understanding KMIP Compatibility.