on Microsoft you can use bitlocker, you can also user PowerPath encryption but that along is not enough, you will also need to purchase RSA RKM appliances to manage your encryption keys.

Are you recommending bitlocker as an alternative which doesn't need the RSA RKM appliances?

I assume you are saying PowerPath encryption and VNX Host encryption both need RSA appliances?

yes, you can use bitlocker as an alternative to PowerPath encryption on Windows 2008 (which requires RSA RKM appliances but provides centralized key management)

I am not sure what you mean by VNX host encryption, yes ..you need RSA appliances (two) for PowerPath encryption.  If you want to test PowerPath encryption, EMC can provide a VM that runs RKM software but it's only good for POC, not for production deployment.

"VNX Host Encryption" leverages PowerPath Encryption technology, and is an entitlement allowing the customers who purchase the "VNX Security and Compliance Suite" to encrypt as many hosts that are attached to the VNX for which the license was sold.

In contrast, a "PowerPath Encryption" (proper) license, from an entitlement perspective, is per host.  For instance, this may make sense in an environment with other arrays such as Symmetrix/VMAX since a "VNX Host Encryption" license as the name suggests is limited to just the VNX for which it was purchased.

As dynamox mentioned, the "VNX Security and Compliance Suite" (of which "VNX Host Encryption" is included) does not include the required RSA DPM (Data Protection Manager) key server appliances (formerly known as RKM) which must be purchased/licensed separately.  Also as he mentioned, since they are sold in redundant pairs, you will need a (minimum of) two.

Please follow-up with your service provider for more information.

Christopher, Thanks for your answer but what I need to know is how you implement it? What documentation does EMC have about this apart from marketing material. Is there something you need to install on the host to enable it etc... Obviosuly with PowerPath encrytion you install powerpath but what do you install for host encryption? I can't ask my service provider because I am the service provider, the next level up is EMC. Regards Smarti.

smarti,

"VNX Host Encryption" is simply a entitlement/licensing title.  It is PowerPath Encryption but grants the user to connect as many hosts as they'd like to just the VNX that the "VNX Security and Compliance Suite" was purchased.  Otherwise, it is fully featured PowerPath Encryption.  Also, remember as noted above, it does NOT include the required RSA DPM key server appliances which are sold in pairs.  Think of it as an entitlement of PowerPath Encryption by the array (but still licensed per host via a license key).

Or has this thread become a question of how to implement PowerPath Encryption itself?  This would not be the proper forum for that.

Chrisopher, Thanks for the reply. This answers part of my qustion regarding Host Encryption and PowerPath are same thing is just a licensing thing. I guess when you install and license powerpath, because it connects to a VNX array it will automatically be licensed for host encrytion provided of course you have the RSA appliances? Regards Smarti

smarti,

No, you will receive a single PowerPath Encryption license (versus individual unique licenses if purchasing the PowerPath Encryption License proper) to use across all of your hosts that will be connected to just the VNX that the "Security and Compliance Suite" is entitled.  Please note, I suggested this in one of my earlier posts with the following comment:

[...]

(but still licensed per host via a license key)

[...]

Also, please note, this entire conversation is in regards to just the PowerPath Encryption (sub) feature.

Open a ticket with support.  The licensing team is monitoring such support tickets and will intercept them and respond.

I'm a fan of the Encrypted HBAs from Emulex... In my testing they have caused the least performance impact on heavy use environments..  Just keep in mind no matter what you do anyone with access to the server and the data will not realize it's encrypted.  Out legal team thought using encryption like this would prevent a root use from being able to see the data - which  is not the case.

Something to think about is how your security / audit guys view this data.  When they log on to a host with Array bases encryption or HBA based encryption,  the data still look unencrypted... An end user on the host can simple look at the file and it will not be encrypted - that is because the host was access to it.

1) We ran PowerPath with Encryption / RSA RKM appliances and two Win2k8 R2 HP blades. This was a traditional file server housing HIPAA related data. These are your typical office documents, nothing transactional. We did not see any measurable impact of encryption on response times. PowerPath/RSA itself is the bigger pain in the rear from my (customer perspective). It looks like you are either work for EMC or partner so you might have different channels of escalation but as a customer i can tell you that escalation process on sev 1 tickets going to between EMC to RSA support was horrible. Everytime we would upgrade PowerPath, RSA lockbox would have issues, SSL certificate would get wiped out and encrypted volumes would not come online ..5-8 hours outages. The reason i bring it up is because it's just not as simple as just installing PowerPath/RSA ..there a lot more moving parts to it. We moved away from that solution to a VMAX D@RE encrypted engines to meet our regulatory requirements, auditing is done using StealthBITS.

I also found PowerPath encryption to be a huge pain the the butt.  That is why i like array encryption or HBA encryption (Emulex works great)

You could also ask your account team about roadmap plans for encryption on VNX