Just bought 2 SC3020 for use with encrypting the data at rest. Rep didn't mention that you had to use a 3rd party tool for handing out the actual keys. I thought this would work just like the servers and the TPM module but nope. So i just got back the quote to use safenet key managegement and its 56K, more than the <Profanity removed> dell hardware!!!
There has got to be something else that can be used to hand out these keys cheaper. I cant believe dell would recommend something so expensive other than simply putting in a TPM module to do it.
FYI: You created this in the Equallogic SAN forum, not the SC one.
However, I happen to know the answer. Other than the qualified 3rd party Key Managers there are no supported options. Even if theoretically another one worked today you can't be sure that down the road that a SCOS update isn't going to break that. In which case your data is no longer accessible.
With RAIDed storage you would have to steal the entire enclosure with controllers to get access to the data. Especially in configurations with multiple storage tiers that's much more difficult.
There is also file level encryption for many OSs. The SED drive is most effective in JBOD conflagrations where simple access to the drive will allow data access.
yea but for dell to force you to use one of their support partners thats selling the key management software for 56K to start just to only hand off 2 keys maybe 1 time a year when the 3020 is rebooted is robbery. When it would have only cost them 30 dollars to add a TPM module to the array controller for customers that only need the encryption part as a deterrent.
This makes me want to send the whole solution back to them.
I understand your frustration. While TPM H/W might not cost much, the development cost to make it work with SCOS would be significant.
But let's look at what it would take to get data off a "drive" if they stole a single physical hard drive it would do them no good. Data is spread out across multiple drives.
So you need everything. Chassis and controllers, shelves, cables, etc.. But in order to access a LUN you have to be connected to the designated server. If not just connecting up a server isn't going to help. So you also need the login credentials for the array to allow you to change the server info to the new one.
So that's several road blocks already. If you also encrypt the filesystem then even if they have all that they will be stuck. Plus of course controlling physical access to the arrays as well.