Key Management – The Dirty Secret of HCI Encryption

Edge data centers can be remote retail locations or offices, oil rigs, temporary command centers and even mobile data centers in the back of a van. Finding a solution that provides the performance edge data centers need at a price that makes sense is challenging enough, but IT must also deal with the fact that the “front-line” nature of these data centers exposes them to theft far more than the typical core data center. Encryption of storage on these systems is critical and a fundamental part of encryption is key management, a task that is particularly hard at scale, across dozens, hundreds or even thousands of locations.

Hyperconverged Infrastructure (HCI) deployments are becoming increasingly popular at the edge. Two node HCI clusters enable organizations to implement powerful, mini-data centers easily, almost anywhere. The challenge is that the two node configurations are more vulnerable to theft than the typical multi-node HCI cluster and in most cases, each node has all the data. Additionally, because these are edge data centers, there is an extra emphasis on keeping the footprint small, which makes the configuration all that much more vulnerable to theft.

At the same time, most edge data center use cases require an on-premise footprint and real-time access to data, so eliminating the edge data center and remotely connecting into equipment in a core data center or the public cloud, is often not viable. Edge data centers are a necessity for many organizations so in order to protect corporate assets, organizations must use some form of encryption.

How Do Organizations Encrypt Edge HCI Today?

If organizations encrypt edge HCI at all, they typically utilize self-encrypting drives (SED). The problem is that self-encrypting drives only provide protection if someone physically removes the drive from the server in which it is installed. In all likelihood the entire HCI node (in many cases both nodes) is stolen, since the thief won’t take the time to open the unit up and remove the drives. If someone boots the node or nodes without removing the drives, then the self-encrypting drives provide no protection.

Alternatively, the organization can choose to deploy software encryption that requires using a key to access data on those drives. While using a software based encryption method with an external key is the preferred method, the solution presents many challenges. First, IT needs to purchase and deploy the software. Most encryption software is designed to work within a core data center, rather than deploy it across dozens or hundreds of sites. They often lack multi-site key management and the expense per site can range from $7,000 to $20,000 making it cost prohibitive.

The more common choice for encrypting data at the edge data center is doing nothing because it is too expensive and too complicated to buy, implement and support. The problem with doing nothing is it exposes data in an environment where theft of equipment is far more likely than in the core data center.

The result is that HCI solutions that focus on the edge use case are an ideal solution to the challenges organizations face equipping those locations but they also highlight an area of exposure that these organizations need to address. Organizations need an HCI Edge solution that not only optimizes and simplifies the deployment of HCI at hundreds of remote sites but also manages encryption across those sites.

Solving the Edge Data Center Encryption Challenge

Software based storage encryption at the edge is key so that even if an entire node within the HCI cluster is stolen, or even the whole cluster, the data is inaccessible. Key managed encryption works by having the remote HCI cluster communicate back to a key manager, either in the core data center or in the cloud. This centralized key manager provides encryption keys to the remote site when necessary. The remote site requests existing keys or requests new keys when there is site disruption such as power failure, storage issues, server reboot, etc. Also, if someone is attempting to hack into the unit at the edge location, IT can change the key (re-key) or de-authenticate the cluster so the data on that system is instantly unreadable.

The challenge for organizations looking to implement this type of encryption strategy is how to manage key access. Key management is critical since lack of access to the keys means the edge data center can’t get to them, but easy access means that the thief can get to them.

An enterprise key management system typically implements and stores keys in at least two separate locations and grants access to encrypted data. If the organization doesn’t have two dedicated locations, they may want to use the public cloud as a second location or even two cloud instances as multiple locations. Even the most basic of connectivity (LTE) is enough to authenticate and provide access to the data stored locally.

The problem is the cost of key management software is expensive and most solutions aren’t designed to manage dozens or hundreds of edge data center locations.

Introducing StorMagic, Encrypting HCI for the Edge

StorMagic provides HCI solutions for enterprises and small to medium sized businesses. A key area of focus for the company are edge data centers where their unique storage mirroring technique and efficient processor utilization allows the implementation of small footprint, two node HCI clusters capable of running the majority of edge data center applications. The solution is cost effective and highly available. StorMagic also provides a centralized cluster management function that runs at the core data center.

HCI seems like an ideal solution for the edge because it packages compute, storage and networking into a single solution. The problem is that most HCI solutions require the implementation of a minimum of three nodes for data redundancy. Three nodes is overkill for most edge data centers, and leads to configuration challenges as well as wasted compute and storage.

StorMagic runs on two nodes and mirrors data between the two nodes. It can leverage the core data center as the central point of deployment and management. The core data center implementation can also act as the witness for the edge two-node cluster, avoiding split-brain scenarios. This remote witness is implemented as a single virtual machine, running on any hardware and can manage up to 1,000 remote sites.

Another problem with typical HCI is they often require that the customer buy the server hardware from the HCI vendor. Most edge data center rollouts involve dozens if not hundreds of locations, so paying a premium for hardware makes it hard to cost justify the HCI investment. StorMagic runs on virtually any hardware and works with the three major hypervisors (VMware, Hyper-V and Linux KVM).

StorMagic’s success in equipping edge data center locations is placing them in conversations where their customers want their assistance in solving the edge encryption problem. StorMagic’s solution is StorSecure. It is cost effective at only $2,000 per site for unlimited keys. It also is very flexible; IT can deploy the key manager on the HCI cluster, in the core data center or in the cloud. While installing the key manager with the HCI cluster is not the most ideal method, because the keys are now with the data, some organizations have edge data centers in need of that level of site independence. In most cases, IT installs the key manager at the core data center or in the cloud.

Even organizations not yet familiar with encryption and key management will find StorSecure simple to implement and operate. The solution is software only and does not require special encryption hardware, or disk drives. It also excels at multi-site deployment. It includes policies for backing itself up and key rotation. IT can choose to secure a specific set of volumes or all the storage in the HCI cluster. Encryption is FIPS 140-2 compliant.

StorSecure encrypts data before writing it to disk, avoiding the need for the hypervisor or operating system to run specific agents. Being outside of the hypervisor also makes the solution immune to attacks that the target operating system or hypervisor vulnerabilities.


The completeness of HCI makes it an ideal solution for edge data center if the solution can overcome two obstacles. First, IT must be able to deploy the HCI solution with as minimal cost and physical footprint as possible, with two nodes being ideal. Second, the solution must be secure. Edge data centers are on the front lines and that positioning exposes them to theft. Encryption is a necessity but it needs to be both affordable and scalable.

StorMagic is delivering a solution that overcomes both of these significant obstacles. The solution only requires two servers and pricing starts at under $10,000, including the hardware. It can run on a wide variety of hardware and hypervisors. Additionally, now with StorSecure, the solution provides extensive protection from theft.

Sponsored by StorMagic

Sign up for our Newsletter. Get updates on our latest articles and webinars, plus EXCLUSIVE subscriber only content.

George Crump is the Chief Marketing Officer at VergeIO, the leader in Ultraconverged Infrastructure. Prior to VergeIO he was Chief Product Strategist at StorONE. Before assuming roles with innovative technology vendors, George spent almost 14 years as the founder and lead analyst at Storage Switzerland. In his spare time, he continues to write blogs on Storage Switzerland to educate IT professionals on all aspects of data center storage. He is the primary contributor to Storage Switzerland and is a heavily sought-after public speaker. With over 30 years of experience designing storage solutions for data centers across the US, he has seen the birth of such technologies as RAID, NAS, SAN, Virtualization, Cloud, and Enterprise Flash. Before founding Storage Switzerland, he was CTO at one of the nation's largest storage integrators, where he was in charge of technology testing, integration, and product selection.

Tagged with: , , , , , , , , , , ,
Posted in Article

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 25,514 other subscribers
Blog Stats
%d bloggers like this: