Recently, SNIA(Storage Networking Industry Association) released a technical white paper on Storage security and encryption and key management.
This white paper discusses a series of issues and considerations related to encryption and key management, which have an important impact on future data protection implementation and policies. Standards and Specifications related to the use of encryption and key management in storage systems and ecosystems have also been identified. For storage and security professionals, this paper provides a wide range of basic knowledge of relevant concepts, provides important guidance and suggestions, and emphasizes some of these key issues and considerations.
In this article, the editor makes some superficial interpretations based on some information in it. If you want to read the white paper directly, please click & ldquo; At the bottom of the article; Read the original text & rdquo; Obtain the download link.
1. What is storage encryption technology?
Storage encryption is a technology that uses encryption algorithms and key management policies to protect the confidentiality and integrity of data in storage devices. Two common data encryption methods are symmetric encryption and asymmetric encryption.
Symmetric encryption uses the same key to encrypt and decrypt data, such as AES (Advanced Encryption Standard). Asymmetric encryption uses different keys for data encryption and decryption. One of the keys is public for data encryption and the other is private for data decryption, such as RSA.
For the type of storage encryption technology, storage encryption technology can be divided into local storage encryption and cloud storage encryption according to the location of storage devices.
Local storage encryption storage encryption on a local computer or server can be implemented by operating system or file system-level encryption tools. For example, the Windows operating system can use BitLocker for full encryption, and the macOS operating system can use FileVault for full encryption.
Cloud storage encryption Storage encryption technologies used in Cloud Storage services, such as Amazon S3, Google Cloud Storage, and Microsoft Azure. Cloud storage encryption provides data encryption, access control, and identity authentication services to ensure data confidentiality and integrity. Common cloud storage encryption technologies include key-based encryption, object-based encryption, and block-based encryption.
For example, when an application data is written to a storage device, what points are encrypted or decrypted during this process?
In PApp, it is encrypted by the application itself.
In P1, it is located inside the host but outside the application (for example, file system encryption, LUKS,VMcrypt, etc.).
The network adapter P2 of the host is encrypted by the network adapter of the host (such as NIC,HBA, etc.) or its device driver.
The stored network adapter P3 is encrypted by the stored network adapter (such as NIC,HBA, etc.) or its device driver.
In P4, located somewhere in the storage solution, upstream of the non-volatile memory.
In P5, somewhere else within the storage solution, after P4 and upstream of non-volatile memory.
In PNVS, encryption is occurring in non-volatile devices (for example, through a self-encrypted SSD).
This figure shows the differences that data may be encrypted and decrypted in the entire path from the application to the storage.. This is important for understanding how data is protected at different levels and how to manage and protect keys. Different devices, drivers, file systems, etc. can encrypt data in this process to protect data security and privacy.
What should I pay attention to in storage encryption and key management?
The following issues need to be considered in storage encryption and key management:
data encryption type: to encrypt dynamic and static data based on requirements and security standards, dynamic data refers to data transmitted over the network, static data refers to data stored on media. For dynamic data, you need to consider how to encrypt the data in transit to prevent unauthorized access and use. For static data, you need to consider how to encrypt the data stored on the media, to prevent unauthorized access and use.
Key management: Key Management is an important part of encryption technology. You need to consider how to generate, store, back up, and distribute keys. The key generation needs to consider how to ensure the security and uniqueness of the key; The key storage needs to consider how to ensure that the key is not disclosed and unauthorized access; to back up a key, you need to consider how to ensure that the key can be recovered after it is lost or damaged. To distribute a key, you need to consider how to ensure that the key can be safely delivered to the required personnel.
Data security: consider how to ensure data security. This includes the use of advanced encryption algorithms and protocols to ensure data confidentiality, integrity, and availability. At the same time, it is also necessary to consider how to prevent data leakage and unauthorized access, especially during data transmission and storage.
Data backup and recovery: consider how to back up and restore data and how to ensure the security of backup data. Backup data also needs to be encrypted to prevent unauthorized access and use. At the same time, we also need to consider how to restore encrypted data and how to ensure data integrity and security during the recovery process.
Performance and compatibility: consider the impact of encryption technology on system performance and how to ensure the compatibility of encryption technology with other systems. Encryption technology will increase the complexity and computation of the system, thus reducing the performance of the system. Therefore, it is necessary to minimize the impact on system performance while ensuring data security. At the same time, it is also necessary to consider how to be compatible with other systems, such as other storage devices, operating systems, and applications.
Regulations and compliance: local laws, regulations and compliance requirements need to be considered to ensure the compliance and legality of encryption technology. This includes understanding local data protection regulations, network security regulations, privacy regulations, etc. to ensure the compliance and legality of encryption technology.
What is the future development trend of storage encryption technology?
The future development trend of encryption technology may include the following aspects:
post quantum cryptography (PQC): With the improvement of quantum computing capability, encryption technology based on traditional mathematical problems may be breached. Therefore, post-quantum cryptography may become the mainstream encryption technology in the future, which mainly uses quantum mechanical properties to protect information.
Multi-key encryption: With the development of quantum computing, a new multi-key encryption technology may receive more attention. In this technology, both the receiving and sending parties of information use multiple keys for encryption and decryption operations, thus improving the security of encryption.
Zero proof of knowledge: This technology allows the information sender to prove to the information receiver that he has a secret or certificate without disclosing any useful information. This technology may be widely used in identity authentication and data integrity verification in the future.
Homomorphic encryption: homomorphic encryption is a method that can be calculated without exposing plaintext data. It can calculate encrypted data without reducing the security of encrypted data, thus protecting the security of raw data in many scenarios.
Attribute base password: This encryption technology uses attributes to define encryption and decryption operations, rather than using traditional keys. This encryption method can better meet the needs of future applications such as the Internet of Things and cloud computing, especially in distributed and decentralized scenarios.
Combination of cryptography and artificial intelligence with the continuous development of artificial intelligence technology, the combination of cryptography and artificial intelligence may become an important direction of cryptography in the future. For example, artificial intelligence can be used to detect and defend against cryptology attacks, and cryptography can also be used to protect the robustness and privacy of artificial intelligence algorithms.
More efficient cryptographic algorithms: for applications such as big data and the internet of things, more efficient cryptographic algorithms are required to meet their data security and processing efficiency requirements. For example, in blockchain technology, some efficient cryptographic algorithms are used, such as Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr signature algorithm. These algorithms not only provide high security, but also have more efficient performance than other cryptographic algorithms.
In general, with the development of science and technology, the future encryption technology may become more complex and diversified. We need constant exploration and innovation to cope with emerging new security challenges..
Note: This article is reprinted from
