Encryption in StorPool

StorPool supports data at rest encryption using industry-standard Self-Encrypting Drives (SED) that comply with the Opal specification by the Trusted Computing Group (TCG). This solution is designed to be fully transparent to the StorPool software stack, ensuring security without performance overhead.

Data at rest encryption (SED)

StorPool’s primary method for data at rest encryption relies on SED technology, utilizing TCG’s Opal functionality. The encryption and decryption processes are handled directly by the drive hardware, eliminating any performance impact on the storage cluster.

Crucially, without the necessary keys, data on the disks cannot be extracted, providing robust security.

Key backup procedures are not required. In the event of a node failure or the loss of the root filesystem, the standard data recovery procedure is followed (re-initialization of disks and data recovery), consistent with hardware replacement scenarios.

Data in transit encryption

Data transfers within the StorPool cluster (the storage network) are not encrypted. The storage network is considered a trusted and secure environment by design within the scope of StorPool deployment.

Data transfers between separate StorPool clusters (remote cluster functionality) are encrypted by default. For details about how the connection between StorPool clusters can be configured, see Connecting two clusters.

Key management and automation

StorPool provides an integrated, automated process for managing disk keys and unlocking SEDs.

Internal key management

  • Key Generation: The disk keys are generated at the time of disk initialization by the StorPool deployment tools.

  • Key Storage: The disk keys used to unlock the SEDs are stored on the local storage node. The default configuration file containing these keys is located at /etc/storpool/sed.conf.

  • Automatic Unlock: The disks are automatically unlocked during the system boot process or upon disk insertion (hot-plug). This eliminates the need for manual administrator intervention, simplifying operations and ensuring the StorPool services can start without delay.

External key management (KMS integration)

StorPool supports the use of alternative, customer-deployed mechanisms for disk key management and distribution. This allows customers to utilize an external Key Management System (KMS) to store and manage the disk keys, independent of the standard StorPool key storage location.

When an external disk unlock mechanism is implemented by StorPool customers, it must adhere to the following critical requirements:

  • Guaranteed Unlock (Boot): The external solution must guarantee that all necessary SEDs are unlocked successfully during the boot sequence of the host.

  • Guaranteed Unlock (Hot-Plug): The external solution must support the automatic unlocking of hot-plugged and replacement disks without requiring administrator intervention.

  • Service Dependency: The StorPool services (for example, storpool_server) must only be started after all necessary storage disks have been securely unlocked by the external key management system. This is controlled by proper configuration of systemd services.

More information

You can find answers to some frequently asked questions about encryption in Data-at-rest encryption.