 | ||
| Volume encryption | ||
|---|---|---|
| Prev | How Veritas Volume Manager works | Next |
VxVM provides advanced security for data at rest through encryption of VxVM data volumes. Encryption is a technology that converts data or information into code that can be decrypted only by authorized users.
You can encrypt VxVM data volumes to:
Protect sensitive data from unauthorized access
Retire disks from use or ship them for replacement without the overhead of secure wiping of content
The implementation uses the Advanced Encryption Standard (AES) cryptographic algorithm with 256-bit key size validated by the Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) security standard.
You can encrypt volumes or disk groups in your storage environment. VxVM generates a volume encryption key at the time of volume creation. The volume encryption key is secured (wrapped) using a key wrap. The wrapped key is stored with the volume record. The volume encryption key is not stored on disk.
You can secure the volume encryption key using one of the following methods:
Figure: Encryption describes the encryption process.
If you encrypt a disk group, all volumes in the disk group are encrypted. Any volume created later on the disk group will also be encrypted by default.
Only new volumes that are created using disk group version 220 or later can be encrypted by VxVM.
When you start an encrypted volume, VxVM uses the key wrap to retrieve the volume encryption key and enable access to the volume.
Figure: Decryption illustrates the decryption process.
