Update: Pure Storage® has ended support for EncryptReduce capability. Learn more about our winning encryption solution with FlashArray.
So how did this innovation become reality? Since storage technology is based entirely on applying imagination to scientific principles, it’s always struck me as odd that so many compromises are made in our industry. It’s not necessary. For example, why should anyone write copies and copies of the same data to disk? And why use disk at all now when superior solutions are available?
Pure started with our first FlashArray™ release in 2013 – with the premise that all data should be reduced, and all storage should be on flash. No compromises. Over time, this brought the cost of flash down to the cost of disk. We wouldn’t compromise on security either. We provided FIPS 140-2 certified encryption for all data written to the FlashArray. Clever and elegant in execution, it has zero impact on data reduction or performance.
The frustrating exception, however, is when servers must write already-encrypted data to our FlashArray. Sometimes businesses require this and it’s a disappointment because that value-for-flash-at-the-cost-of-disk is instantly wiped away if data reduction cannot be performed. Up until recently, we could not reduce data that is sent to us already encrypted.
But we had to eventually ask, why should this compromise exist? Why should encrypted, over-the-wire data not be reduced? All that stands between us would be a shared key between the server and the FlashArray.
In partnership with Thales, that’s exactly what we’ve done. Thales provides the Data Security Manager (DSM), a network appliance that manages keys. Thales also provides server software, Vormetric Transparent Encryption (VTE), that encrypts traffic based on the key provided by the DSM for writing encrypted data to a storage device. Thales is an industry leader in this space, so who better to partner with?
How does a FlashArray with EncryptReduce decrypt the traffic from the VTE equipped host? Easily! We simply use KMIP, an open protocol, to check out a key from the DSM. The DSM manages the FlashArray key and the VTE server key to make sure they are synchronous. Since we store the key in memory, we decrypt and encrypt, on the fly, for any VTE host. Our own write path is unchanged, and all of that data is still reduced and still FIPS 140-2 protected.
Security has traditionally had a reputation for diminishing usability and adding greater costs to operations – Pure Storage and Thales don’t think that’s acceptable. EncryptReduce is our testament to that shared belief.
Our current shared mission is to make sure EncryptReduce can reach as many organizations as possible. Currently, VTE is available for Linux only, but coming in a few weeks, this will be expanded to Windows as well. There’s been a lot of interest from the public sector and large enterprises, and having Windows support will undoubtedly increase that interest.
We’re excited to be joining Thales at this week’s RSA Conference held in San Francisco to share more of our joint solution. Stop on by Moscone North at the Thales Booth #5445 to learn more. Can’t make the show? Follow us @PureStorage and #ThalesRSA2020.
Get more technical details on Pure Storage EncryptReduce technology
Contact your Pure Storage value-added-reseller or account team for additional information.