Storage systems typically support at-rest data encryption. As used herein, “at-rest data encryption” refers to the encryption of data that is stored at the storage system. When at-rest data encryption is enabled, all data stored at the storage system is encrypted using a single (symmetric) encryption key. Thus, accessing data stored at such a storage system requires the client to have this single symmetric encryption key. At-rest encryption is commonly available for both primary and archival tier storage systems.
There is also a growing need to support encryption-on-wire to protect data while in-flight. As used herein, encryption-on-wire refers to the encryption of data while it is traversing the network from the source (e.g., a client) to the target (e.g., a storage system). Conventionally, encryption-on-wire is implemented as follows: the data is encrypted by the network stack (e.g., Secure Sockets Layer (SSL)/Transport Layer Security (TLS)) at the source and then decrypted by the network stack at the target storage system.
Conventionally, in the case where both at-rest data encryption and encryption-on-wire are required, the data is encrypted by the network stack of the client. The encrypted data is then transmitted to the target storage system. When the encrypted data arrives at the target storage system, the data is decrypted by the network stack at the storage system. Once the data has been decrypted, the data is then re-encrypted for at-rest protection. Thus, computation resources are wasted at conventional storage systems.