Encryption

Encryption secures data by converting it into a ciphertext that can only be interpreted by those with the correct decryption key. It is used to protect data:

• At rest (stored on disk, tape, or flash)
• In transit (transmitted over networks or between systems)

Encryption is essential for:

• Ensuring data confidentiality
• Meeting compliance requirements (e.g. GDPR, HIPAA, ISO 27001)
• Protecting against theft, interception, and data leaks
   

• Symmetric encryption (e.g., AES): The same key is used for both encryption and decryption. It’s fast and widely used in storage systems for protecting large volumes of data.
• Asymmetric encryption (e.g., RSA): Uses a pair of keys—one public, one private. Common in secure communications, email signing, and certificate-based access.
• Full-disk encryption (FDE): Encrypts the entire storage device. Ensures that all data is inaccessible without authentication, even if the disk is physically removed.
• Volume- or file-level encryption: Targets specific datasets or files, offering more granular protection—often preferred in shared or multi-tenant storage environments.
• Encryption in transit: Secures data as it moves across networks using TLS, VPNs, or secure file transfer protocols like SFTP and HTTPS.

Open-E JovianDSS supports encryption at the storage level through the underlying ZFS file system and integration with system-level tools:

• ZFS-native encryption (planned): While ZFS supports dataset-level encryption in some upstream variants, Open-E currently relies on full-volume encryption via OS tools like LUKS or hardware modules.
• LUKS-based volume encryption: Encrypts entire block devices before ZFS or the file system is applied. It protects data from unauthorized access even if physical drives are stolen.
• Password or key-file management: Encrypted volumes in Open-E JovianDSS can be secured with user-specified keys or stored passphrases, depending on use case and security policies.
• Encryption combined with snapshots and replication: Snapshots and replication maintain encryption boundaries. Data remains secure during backup, sync, or site-to-site transfer—depending on replication mode and target configuration.
• Support for hardware-based encryption modules: Open-E JovianDSS supports self-encrypting drives (SEDs) and external TPM/HSM devices for environments requiring FIPS-level security or key escrow.

• Prevents unauthorized data access: Even if disks are removed, lost, or stolen, encrypted data remains unreadable to outsiders without the appropriate decryption credentials.
• Enables compliance with industry standards: Regulations such as GDPR, PCI DSS, and HIPAA mandate encryption of sensitive data—particularly in healthcare, finance, and government sectors.
• Protects backup and archive media: Tapes, external drives, or cold storage are frequent attack targets. Encryption ensures long-term security even in offsite scenarios.
• Reduces breach impact: In the event of intrusion or exfiltration, encrypted data cannot be used, minimizing reputational and financial damage.
• Secures data in multi-tenant environments: For MSPs or virtualization hosts, encryption separates client datasets, preventing lateral movement between shared infrastructure.

• Choose strong, industry-accepted algorithms: Use AES-256 or higher for symmetric encryption. Avoid outdated standards like DES or RC4.
• Store keys securely and separately: Key management is critical—use hardware modules or separate servers to store encryption keys away from the data they protect.
• Encrypt backups as well as live systems: Never assume backup data is safer. Use encrypted snapshots and protect external media with full-disk or file-level encryption.
• Minimize performance impact: Use encryption-optimized CPUs or hardware encryption where available to reduce latency, especially on write-heavy systems.
• Test decryption and recovery procedures: Ensure your team can reliably unlock, restore, or rekey encrypted volumes without data loss in real scenarios.