Key management
The Key Management System (KMS) ensures that encryption keys are securely managed and rotated regularly. The KMS includes a general-purpose key management system and an additional subsystem integrated at the infrastructure level. Unique encryption keys are issued for each storage object (disk, shared filesystem or bucket). The data is encrypted with the help of data encryption keys (DEKs), which are then encrypted again with the help of key encryption keys (KEKs).Encryption by storage type
Disks in Compute
Data stored on disks is encrypted both at the service level and at the infrastructure level. This double encryption ensures strong data protection.- DEKs are generated and managed by the Compute service.
- KEKs are managed by the infrastructure layer of the KMS.
Shared filesystems in Compute
Data stored in shared filesystems is encrypted at the infrastructure level. Encryption is applied to the physical disks in the storage cluster. This ensures that all data blocks are protected without affecting performance. DEKs are generated and managed by the infrastructure layer of the KMS.Buckets in Object Storage
Data stored in buckets is encrypted both at the service level and at the infrastructure level. This double encryption ensures strong data protection.- DEKs are generated and managed by the Object Storage service.
- KEKs are managed by the KMS.
WEKA storage
Data stored in WEKA scalable storage can be encrypted at the service level. You need to explicitly enable data encryption when you create a WEKA filesystem. It is not possible to convert a WEKA filesystem to an encrypted filesystem later. WEKA uses the XTS-AES-256 algorithm, with two independent AES-256 keys.- DEKs are generated and managed by the WEKA service.
- KEKs are managed by the KMS.