What can be encrypted? What configuration is supported? At which layer the data is encrypted? Which layer encryption is more secure?
Nutanix offers three options of data encryption:
- Data-at-Rest Encryption - Self Encrypted Drives (SEDs) - cluster's native or external KMS for software-only encryption.
- If the Controller VM cannot get the correct keys from the key management server (KMS), it cannot access data on the drives.
- If a drive is re-seated, it becomes locked.
- If a drive is stolen, the data is inaccessible without the KEK (key-encrypting-key) (which cannot be obtained from the drive). If a node is stolen, the key management server can revoke the node certificates to ensure they cannot be used to access data on any of the drives.
- Data-at-Rest Encryption - Software Only
- For AHV, the data can be encrypted on a cluster level. This is applicable to an empty cluster or a cluster with existing data.
- For ESXi and Hyper-V, the data can be encrypted on a cluster or container level. The cluster or container can be empty or contain existing data. For container level encryption, after the encryption is enabled, the administrator needs to enable encryption for every new container.
- Data is encrypted at all times.
- Data is inaccessible in the event of drive or node theft.
- Data on a drive can be securely destroyed.
- Dual Encryption. Dual Encryption protects the data on the clusters using both SED and software-only encryption. An external key manager is used to store the keys for dual encryption, the Native KMS is not supported.
Data-at-Rest Encryption feature requires Ultimate license.
Further reading on configuration steps, pre-requisites and supported key management servers see Security Guide 5.11: Data-at-Rest Encryption.