加密域和级别 - 及时数据加密功能 - 不再有混乱

  • 2019年10月16日
  • 0答复
  • 2289意见
阿罗纳
秩
UserLevel 6
徽章 +5

:问题:什么可以加密?支持什么配置?在哪一层数据是加密的?哪一层加密更安全?

Nutanix提供了三个数据加密选择:

  1. 及时的数据加密- 自加密驱动器(SED) - 集群的本机或外部KMS用于仅软件加密。
    • 如果控制器VM无法从密钥管理服务器(KMS)获取正确的键,则无法访问驱动器上的数据。
    • 如果重新安装驱动器,则将锁定。
    • 如果驱动器被盗,则没有kek(键连接键)(无法从驱动器获得)的数据无法访问。如果节点被盗,则密钥管理服务器可以撤销节点证书,以确保它们不能用于访问任何驱动器上的数据。
  2. 及时的数据加密- 仅软件
    • 对于AHV,可以在A上加密数据等级。这适用于具有现有数据的空群集或群集。
    • 对于ESXI和Hyper-V,可以在A上加密数据群集或容器等级。群集或容器可以为空或包含现有数据。对于容器级加密,在启用加密后,管理员需要为每个新容器启用加密。
    • 数据始终加密。
    • 如果发生驱动器或节点盗窃,数据是无法访问的。
    • 驱动器上的数据可以牢固地破坏。
  3. 双重加密。双重加密使用仅使用SED和仅软件加密保护簇上的数据。外部密钥管理器用于存储双重加密的键,不支持本机KMS。

:感叹:及时的数据加密功能需要最终许可。

进一步阅读配置步骤,先决条件和受支持的密钥管理服务器,请参见安全指南5.11:及格加密。

\":question:\" What can be encrypted? What configuration is supported? At which layer the data is encrypted? Which layer encryption is more secure?<\/p>

Nutanix offers three options of data encryption:<\/p>

  1. Data-at-Rest Encryption<\/u> <\/strong>- Self Encrypted Drives (SEDs) - cluster's native or external KMS for software-only encryption.\t
    • If the Controller VM cannot get the correct keys from the key management server (KMS), it cannot access data on the drives.<\/li>\t\t
    • If a drive is re-seated, it becomes locked.<\/li>\t\t
    • If a drive is stolen, the data is inaccessible without the KEK (key-encrypting-key) (which cannot be obtained from the drive). If a node is stolen, the key management server can revoke the node certificates to ensure they cannot be used to access data on any of the drives.<\/li>\t<\/ul><\/li>\t
    • Data-at-Rest Encryption<\/strong><\/u> - Software Only\t
      • For AHV, the data can be encrypted on a cluster <\/strong>level. This is applicable to an empty cluster or a cluster with existing data.<\/li>\t\t
      • For ESXi and Hyper-V, the data can be encrypted on a cluster or container<\/strong> level. The cluster or container can be empty or contain existing data. For container level encryption, after the encryption is enabled, the administrator needs to enable encryption for every new container.<\/li>\t\t
      • Data is encrypted at all times.<\/li>\t\t
      • Data is inaccessible in the event of drive or node theft.<\/li>\t\t
      • Data on a drive can be securely destroyed.<\/li>\t<\/ul><\/li>\t
      • Dual Encryption.<\/u>\u00a0<\/strong>Dual Encryption protects the data on the clusters using both SED and software-only encryption. An external key manager is used to store the keys for dual encryption, the Native KMS is not supported.<\/li><\/ol>

        \":exclamation:\" Data-at-Rest Encryption feature requires Ultimate license.<\/p>

        Further reading on configuration steps, pre-requisites and supported key management servers see Security Guide 5.11: Data-at-Rest Encryption.<\/a><\/p>","quoteUsername":"Alona","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

该主题已关闭以供评论
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">
Baidu