Decru Lifetime Key Management
Decru's LKM is available as a software-only package or as an
appliance (Network Appliance Inc. purchased Decru earlier this
year). The LKM client software runs on Windows, while the LKM
appliance uses DecruOS. The LKM system supports Decru's DataFort
appliances for the encryption of NAS, DAS, SAN, tape and iSCSI
storage. One key management appliance can support up to 100
encryption appliances and more than 10 million keys. As many as 16
LKM appliances can be clustered across multiple sites for high
availability, with automated key replication among appliances. All
LKM appliances can be managed through a single interface.
The system provides automatic, globally distributed backup,
replication and recovery of encryption keys; automated key sharing
ensures keys are provided securely without open transmission of
keys in the clear and without the need for local, insecure key
storage. Additional features include role-based access control, an
OpenKey Partner Program that offers APIs and reference
implementations, and a true hardware-based random-number generator
that allows third-party encryption products to request a random
number from the key management appliance.
The LKM appliance incorporates APIs to allow third-party
encryption products to leverage Decru's key management system to
generate, store and manage keys. Symantec and Quantum Corp. are
charter members of Decru's OpenKey Partner Program, and have agreed
to partner with Decru to use the LKM appliance for key
management.
Each appliance is built on the DataFort FIPS-certified Storage
Encryption Processor. Encryption keys never leave this processor in
cleartext. The processor itself is coated in a hardened epoxy to
prevent physical access from probes or other attempts to gain
access to the chip. The chassis is hardened, has tamper-evident
seals, and an intrusion-prevention system that can be configured to
delete local copies of keys if the box is tampered with and/or
compromised.
Administrators use smart cards for two-factor authentication. A
comprehensive, cryptographically signed and tamper-evident audit
log maintains detailed information about all key movement and
administrative actions. The LKM software is priced at $10,000 per
license; pricing for the LKM appliance hasn't been announced
yet.
nCipher keyAuthority
nCipher's keyAuthority is a key management app designed to work
with other standard cryptographic APIs such as Microsoft's MS-CAPI
and RSA Laboratories' PKCS#11, Java JCA/JCE CSP and OpenSSL, as
well as the storage-centric FIPS 140-2 standard.
The server application is secured using FIPS-certified hardware
security modules that meet the FIPS standard for two-part
authentication. The software runs on leading server operating
systems, and can use a variety of SQL databases for its back end.
It delivers keys to "end points" (point of key use) running on a
variety of common server operating systems.
keyAuthority contains policy-based rules for key delivery, and
powerful archive and audit capabilities. The system is scalable to
thousands of end points and has a resilient architecture that
allows, for example, keys to be served from multiple keyAuthority
systems at different locations, all of which can be managed from a
central console. The system also provides secure audit logs of
management and operational activities to ease audit compliance.
@28781 keyAuthority can automatically provision different key
types to different applications; if you buy the system to manage
storage encryption keys, you can also use it to manage SSL keys for
your Web applications or Java keys for custom apps. Pricing starts
at approximately $50,000 for a small system with a limited number
of supported end points.
NeoScale CryptoStor KeyVault
The NeoScale Systems CryptoStor KeyVault is a secure, automated
and open enterprise-class appliance for storage encryption-key
management. It offers the features required by FIPS 140-2 Level 3
such as tamper-proof seals and two-part authentication, and
provides open APIs to allow for third-party vendor integration.
Multiple redundant KeyVaults allow for scalability, fault
tolerance, key protection and support for up to 200 million keys
per appliance.
CryptoStor KeyVault provides hardware and software random-number
generators to ensure keys are truly random, and provides for secure
long-term archiving of keys. Encrypted data and keys can be
recovered at any site, using either a distributed local appliance
or a software-only product.
The system provides for role-based security and authentication,
and up to AES-256 levels of encryption. All communications between
the appliance and the key consumer (the system using the key) are
encrypted and never move as cleartext. Audit logs are
cryptographically signed to ensure they haven't been tampered with,
and can be exported as encrypted and signed files for forensic
purposes.
Appliances can be deployed in a distributed, clustered
environment, which allows for automatic key replication among
multiple appliances. To maintain the highest security level, keys
aren't accessed until they're actually needed. In addition to key
management, KeyVault can manage the enforcement of data destruction
to meet compliance requirements. The complete KeyVault appliance,
including hardware and software, is priced from $25,000.
Vormetric CoreGuard
The Vormetric system consists of the CoreGuard Security Server
appliance and a Policy Enforcement Module (PEM) that runs on
Windows, Solaris, AIX, Linux (32- and 64-bit) and HP-UX. The
CoreGuard Security Server appliance does storage encryption and key
management. It offers the usual FIPS 140-2 Level 3 features.
Symmetric encryption keys are generated, managed and stored on
the hardware appliance. They're also securely transmitted to hosts
that have CoreGuard PEM. Keys are never disclosed to users.
Encryption and access control are enforced automatically, with no
user action required. Multiple appliances can be clustered for
redundancy and scalability. In addition, encryption keys can be
archived and protected with public or private keys, or
hardware-based smart cards. Pricing for a security server and one
PEM starts at $15,000.
Get started now
As encryption becomes more commonplace, the potential for
improperly secured or lost encryption keys will grow. The obvious
solution is an enterprise-wide system that can issue, track and
secure encryption keys in a logical, uniform manner. For the most
part, key management systems with those capabilities aren't widely
available yet, but a number of vendors are developing them. Keeping
track of proliferating encryption keys will only get tougher, so
don't put off establishing key management policies and making use
of available tools.
Click here to return to
How to manage encryption keys, page 1.
This article first appeared in
Storage magazine's October 2006 issue.