Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 1
Data-At-Rest Protection at Data Center Scale with NVMeand Opal
Andrzej JakowskiAdrian PearsonIntel Corporation
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 2
Legal Disclaimer
All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.
The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more atintel.com.
Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.
Cost reduction scenarios described are intended as examples of how a given Intel-based product, in the specified circumstances and configurations, may affect future costs and provide cost savings. Circumstances will vary. Intel does not guarantee any costs or cost reduction.
Intel does not control or audit third-party data. You should review this content, consult other sources, and confirm whether referenced data are accurate.
Intel, the Intel logo, and other marks are trademarks of Intel Corporation in the U.S. and/or other countries.
© Intel Corporation.
Other names and brands may be claimed as the property of others.
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 3
Agenda
Motivations for Data-At-Rest Security TCG Opal family for SEDs Sedcli – new open source utility for SED
management for data center scale (and client) Sedcli roadmap Call to action
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 4
Motivations for Data-at-Rest security
Data breaches continue to grow in scale and cost to organizations
Governments are responding by developing new regulations such as the EU GDPR and Lot 9 requirements
Provisions in these laws discuss topics such as user data rights for data retention, access control, knowledge of who has access to data, etc
GDPR, in particular, mentions encryption as a path to potential mitigation in the event of data breach.
Lot 9 requires Secure Data Deletion
https://securityintelligence.com/posts/whats-new-in-the-2019-cost-of-a-data-breach-report/
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 5
Motivations for Data-at-Rest security
All user data, regardless of wear leveling, is encrypted as of the first LBA write to the drive
Data erasure using drive commands ensures erasure of all data – regardless of wear leveling
SW-FDE does not provide these guarantees
Increasingly, SED’s are deployed to ensure “last mile” compliance and ensure that physical theft does not cause a data breach
SW FDE vs. SED
All Data
Drive Overprovisioning
SED
All encryptedUser DataSW FDE
May be encrypted, depending on time of activation of SW FDECannot be directly erased through overwrite by the host
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 6
Appliance
Where encryption is done?
Encryption can be done on different levels. Factors to consider: Protection against threat Performance impact Regulations Impact on other processes:
Encrypted data may not be compressible
Compute
Network
Application
SED Drive (SSD)
HBA, HW RAID
Network switch
Encryption NIC
SW encryption
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 7
SW encryption versus on-disk encryption SW encryption: Intel® Advanced Encryption
Standard New Instructions (Intel® AES-NI) provide near full bandwidth crypto for SW FDE for large transfers However, software overhead
remains, adding extra latency –especially for 4K transfers
On disk encryption: SED AES performance provides
low latency and bandwidth at interface speeds for all transfer sizes
-
100,000
200,000
300,000
400,000
500,000
600,000
1 2 4 8 16 32
IOPS
Queue depth
SW encryption vs on-disk encryption(4KiB Random Read, 2 Threads)
SW encryption On-disk encryption
Source: Intel. System Configuration: Intel ® Xeon Platinum 8200L CPU @ 2.70GHz, DRAM 4GB, Intel DC P4800X 800GB SSD, Debian (Linux 4.9.0-11-amd64 x86_64) with and without SW encryption using LUKS. Results have been estimated based on internal Intel analysis and are provided for informational purposes only. Any difference in system hardware or software design or configuration may affect actual performance. For more complete information about performance and benchmark results, visit www.intel.com/benchmarks Performance results are based on testing as of 9/17/2019 and may not reflect all publicly available security updates. See configuration disclosure for details. No product or component can be absolutely secure
Difference in IO efficiency
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 8
Key management in Opal
KDF
Authentication Key (PIN)
Encrypted MEK(K_AES Table)
Decrypt KEK
HardwareAES Engine
MEK
Ciphertext Plaintext
SED SATA/NVMeinterface
Regular IO
Security Send/Security Receive path
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 9
Client usages and data center usages are different
Client: Usually requires user to supply key (password) to the disk Pre-Boot-Authentication via Shadow MBR
Data center: Need for automated key management during initial provision
and auto unlock on day-to-day operation due to the scale Need for periodic key rotation Need for key backup
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 10
Shift to NVMe and the need for new SW tooling
Host
- data path- key management path
Host
HBA/HW RAIDTCG enterprise
App (e,gdatabase)
Mgmt SW(e.g. RAID)
RAID Mgmt SW
KMIP client
Opal mgmt SW
- Needed “glue” code
HostRAID Mgmt SW
e.g. TPM SW
Opal mgmt SW Security chip (e.g TPM)
Local key management w/ security chip assist
Centralized key management w/ dedicated appliance
App (e,gdatabase)
App (e,gdatabase)
Direct attached NVMe SSD w/TCG Opal
Direct attached NVMe SSD w/TCG Opal
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 11
Sedcli SW proposalSupport for data center usages: Auto-provision on hot insert or OS
boot Auto-unlock on hot insert or OS
boot Support for multiple key managers
(OASIS KMIP, TPM) Key backup functionalityKey SW components: Sedcli – modular architecture
allowing multiple key managers: OASIS KMIP TPM
Libsed - enables extensions
libsed
sedcli
TPM SW stack
KMIP client lib
KMIP plugin TPM pluginFile plugin …
Backup
Key management Disk management
Source code available on https://github.com/sedcli
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 12
Envisioned data center auto-provision flowServer
sedcli
Admin/operator
1. Disk hot-inserted or server booted
2. Platform key (PEK) created or obtained from KMS
4. DEK used to provision NVMe SSD, wrapped disk key stored in Opal datastore
3. Disk key (DEK) created on server and wrapped using PEK
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 13
Envisioned data center auto-unlock flowServer
sedcli
Admin/operator
1. Disk hot-inserted or server rebooted
2. PEK obtained from KMS
3. Wrapped DEK read from Opal data store
4. DEK unwrapped w/ PEK
5. Disk unlocked w/ DEK
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 14
Sedcli status and next steps
sedcli v1.0September 2019
sedcli v2.02019/2020
sedcli v3.0
Data center usages (KMS):• OASIS KMIP key manager• Auto initial provision• Auto unlock• Key backup
Client usages:• Initial provision• Explicit locking and
unlocking• Changing key for
Admin1• Revert TPER
sedcli v2.5Late 2020
Data center usages (TPM):• TPM 2.0 based key
manager• Auto initial provision• Auto unlock• Key backup
Support for emerging DAR security standards such as NVMe/TCG Key Per IO
2019 Storage Developer Conference. © Intel Corporation. All Rights Reserved. 15
Call to action
Encourage usage and contributions to https://github.com/sedcli
Provide feedback/additional usage models Reach out to us to learn more