Veritas Access Administrator's Guide
- Section I. Introducing Veritas Access
- Section II. Configuring Veritas Access
- Adding users or roles
- Configuring the network
- Configuring authentication services
- Section III. Managing Veritas Access storage
- Configuring storage
- Configuring data integrity with I/O fencing
- Configuring ISCSI
- Veritas Access as an iSCSI target
- Configuring storage
- Section IV. Managing Veritas Access file access services
- Configuring the NFS server
- Setting up Kerberos authentication for NFS clients
- Using Veritas Access as a CIFS server
- About Active Directory (AD)
- About configuring CIFS for Active Directory (AD) domain mode
- About setting trusted domains
- About managing home directories
- About CIFS clustering modes
- About migrating CIFS shares and home directories
- About managing local users and groups
- Configuring an FTP server
- Using Veritas Access as an Object Store server
- Configuring the NFS server
- Section V. Monitoring and troubleshooting
- Section VI. Provisioning and managing Veritas Access file systems
- Creating and maintaining file systems
- Considerations for creating a file system
- Modifying a file system
- Managing a file system
- Creating and maintaining file systems
- Section VII. Configuring cloud storage
- Section VIII. Provisioning and managing Veritas Access shares
- Creating shares for applications
- Creating and maintaining NFS shares
- Creating and maintaining CIFS shares
- Using Veritas Access with OpenStack
- Integrating Veritas Access with Data Insight
- Section IX. Managing Veritas Access storage services
- Compressing files
- About compressing files
- Compression tasks
- Configuring SmartTier
- Configuring SmartIO
- Configuring episodic replication
- Episodic replication job failover and failback
- Configuring continuous replication
- How Veritas Access continuous replication works
- Continuous replication failover and failback
- Using snapshots
- Using instant rollbacks
- Compressing files
- Section X. Reference
About encryption at rest
Veritas Access provides advanced security for data at rest by the encryption of data volumes. Encryption is a technology that converts data or information into code that can be decrypted only by authorized users.
You can encrypt Veritas Access data volumes to:
Protect sensitive data from unauthorized access.
Retire disks from use or ship them for replacement without the overhead of secure wiping of content.
Encryption is implemented using the Advanced Encryption Standard (AES) cryptographic algorithm with 256-bit key size validated by the Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) security standard.
When you create file systems in Veritas Access on encrypted volumes using this feature, Veritas Access generates a volume encryption key at the time of file system creation. This encryption key is encrypted (wrapped) using a different key that is retrieved from a Key Management Server (KMS). The wrapped key is stored with the volume record. The volume encryption key is not stored on disk.
Veritas Access supports the use of a KMS that conforms to the OASIS Key Management Interoperability Protocol (KMIP) version 1.1 specification.
During creation of encrypted volumes:
Veritas Access sends a key generation request to the configured KMS using the Key Management Interoperability Protocol (KMIP) protocol.
The KMS responds with a unique identifier. Veritas Access sends the identifier to the KMS to obtain the key that is generated by the KMS.
The KMS responds with the key. Veritas Access generates the random volume encryption key, and encrypts it using the key that is provided by the KMS.
Veritas Access stores the encrypted key and the KMS identifier in the volume record.
During startup of encrypted volumes:
Veritas Access retrieves the encrypted key and the KMS identifier from the volume record.
Veritas Access sends the identifier to the KMS to obtain the key.
The KMS responds with the key. Veritas Access decrypts the encrypted key (stored in the volume record) with the key provided by the KMS.
Note:
Veritas recommends that you use CPUs designed to support Advanced Encryption Standard Instruction Set (or the Intel Advanced Encryption Standard New Instructions (AES-NI) to improve performance.
Veritas recommends that you use IBM Secure Key Lifecycle Manager (SKLM), which supports KMIP protocol version 1.1, as a KMS server for this feature.
To register a Veritas Access cluster with the IBM SKLM KMS server
- Install the IBM SKLM server on any system in your environment. You can visit this URL to find the supported IBM SKLM servers with Veritas Access. Obtain the KMS server's public certificate in base64 format using its admin GUI console or the CLI.
- In the Veritas Access GUI management console, go to Settings > Services Management to register the Veritas Access cluster with the KMS server.
- Ensure that the time on the Veritas Access server and IBM SKLM server are in sync.
- Select Provide Key & Certificates to generate self-sign certificates for the Veritas Access cluster. Provide the KMS server's public SSL certificate in the same window.
- Configure KMS Server gets activated now. Select this tab to enter the KMS server-related details.
- Use the IBM SKLM server's GUI-based management to accept the client request from the Veritas Access cluster and to accept its SSL keys.
You can use the Storage> fs create command to create the file system with the encrypt=on option.
storage> fs create mirrored fs2 1g 2 pool1 protection=disk blksize=8192 pdir_enable=no encrypt=on
You can use the storage encryption feature in the GUI by activating the secure data storage policy. You can add new NFS and CIFS shares using the activated policy.
Note:
Use the encrypt=on option for all the file system layouts except for largefs.