vSAN Hyperconverged Infrastructure Software-Defined Storage

Understanding vSAN Encryption – “Erase disks before use”

A few questions routinely come up when using “Erase disks before use” with vSAN Encryption.

 

What occurs when “Erase disks before use” is used?

First, it is important to understand that this does not destroy active data.

The rolling reformat process evacuates data from a disk group, to another disk group, before beginning the encryption of the disk group. This setting enables random data to then be written to each device in the disk group before these devices are encrypted.

Why random data? In one case, if only ones or zeros were written to the device, deduplication and compression could potentially interfere with the effectiveness of the wipe.

This process can be very time consuming. Different items come into consideration when determining the amount of time necessary to wipe the storage devices. Some of these include the media type, specifically its performance characteristics and its connection protocol (such as NVMe, SAS, NL-SAS, SATA), as well as the capacity, and the number of devices in each host in a cluster.

This wipe process aligns with the NIST 800-88 Revision 1 “Clear” definition:

Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).

Further inspection of NIST 800-88 Revision 1, specifically Appendix A, addresses different requirements for different media types when it comes to a Clear operation. The following table is a summary relevant to vSAN device types:

Media Type Media Types Guidance for Clear Operations
ATA Hard Disk Drives PATA, SATA, eSATA, etc Overwrite media by using organizationally approved and validated overwriting technologies/methods/tools. The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. Multiple write passes or more complex values may optionally be used.
SCSI Hard Disk Drives Parallel SCSI, SAS, FC, UAS, and SCSI Express Overwrite media by using organizationally approved and validated overwriting technologies/methods/tools. The Clear procedure should consist of at least one pass of writes with a fixed data value, such as all zeros. Multiple passes or more complex values may optionally be used.
ATA Solid State Drives (SSDs) PATA, SATA, eSATA, etc
  1. Overwrite media by using organizationally approved and tested overwriting technologies/methods/tools. The Clear procedure should consist of at least one pass of writes with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used.Note: It is important to note that overwrite on flash-based media may significantly reduce the effective lifetime of the media and it may not sanitize the data in unmapped physical media (i.e., the old data may still remain on the media).
  2. Use the ATA Security feature set’s SECURITY ERASE UNIT command, if supported.
SCSI Solid State Drives (SSSDs) Parallel SCSI, SAS, FC, UAS, and SCSI Express Overwrite media by using organizationally approved and tested overwriting technologies/methods/tools. The Clear procedure should consist of at least one pass of writes with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used.
Note: It is important to note that overwrite on flash-based media may significantly reduce the effective lifetime of the media and it may not sanitize the data in unmapped physical media (i.e., the old data may still remain on the media).
NVM Express SSDs NVMe devices Overwrite media by using organizationally approved and tested overwriting technologies/methods/tools. The Clear procedure should consist of at least one pass of writes with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used.

The “Erase disks before use” option meets the requirements of each of these. Though all zeros are not being written, random data (a more complex value) is written instead.

When should “Erase disks before use” be used?

Choosing when to perform a wipe operation is as important to know as the wiping process itself. Should “Erase disks before use” regularly at some interval? Or is it just when first enabling vSAN Encryption on a vSAN cluster?

Some valid use cases for this wiping before encryption include:

  • Enabling encryption if a cluster already has data on it
  • Adding hosts or disks that already had non-encrypted clear text data on them to an encrypted vSAN cluster

It is important to consider that only new data is encrypted when vSAN Encryption is enabled. This wiping process ensures there is no residual data on a storage device used by vSAN.

What happens if “Erase disks before use” isn’t used on an existing cluster or added host?
The process of enabling vSAN Encryption only encrypts new data.

Whether it is an existing cluster, or simply a existing host being added to a vSAN cluster, any residual data could potentially still be recovered.

 

Recommendations

Recommendations for “Erase disks before use” when using vSAN Encryption are:

  • Select “Erase disks before use”
    • When enabling vSAN Encryption for existing vSAN clusters that have vSAN objects on them
    • When adding a host that has data on local devices to an encrypted vSAN cluster
    • When performing a rekey operation to invoke a deep rekey (requesting a new KEK and new unique DEKs created for each vSAN storage device)
  • Deselect “Erase disks before use”
    • When enabling vSAN Encryption for a new vSAN cluster that has not previously had data on the vSAN devices
    • When adding a host that has not had data on local devices that is being added to an encrypted vSAN cluster
    • When performing a rekey operation to invoke a shallow rekey (only requesting a new KEK)