Managing security keys used to encrypt and decrypt data is a challenging task. This is due to the difficulty in keeping track of different keys used to encrypt and decrypt data, wherein data associated with a respective security key has to be tracked as well.
Adhering to industry recommendations, such as from the Storage Networking Industry Association (SNIA), that security keys used to encrypt data should be changed at least once every 12 months adds to the difficulty of managing security keys. When re-keying cryptographic keys (i.e. changing cryptographic keys), cipher data first needs to be decrypted using their existing cryptographic key. Subsequently, the unencrypted data is re-encrypted using the new cryptographic key to obtain cipher data. These new cryptographic keys have to be tracked. In addition, the decryption and re-encryption utilises processing power in an enterprise storage system.
Storage systems using full disk encryption (FDE) provides a solution to security key distribution and revocation problems. In FDE, data blocks are encrypted at the disk level instead of switch and appliance level. FDE provides a lock key that is used to turn on a FDE data storage device. When re-keying is performed, the lock key can be changed without having to change the encryption key. However, FDE storage systems are not backward compatible with existing conventional data storage devices, such as legacy tape/disk.
Given that existing enterprise storage systems still use conventional data storage devices, there is a need to address the backward compatibility issue. Further, it would be advantageous to have a data storage system not needing to decrypt and re-encrypt data whenever re-keying is performed.