OCP L.O.C.K..pdf

1、OCP L.O.C.K.LayeredOpen-sourceCryptographicKey-managementJeff Andersen,Staff Software Engineer,GoogleEric Eilertson,Principal Engineer,MicrosoftOCP L.O.C.K.Security and Data ProtectionWho we areLife of a data center storage deviceDrive arrives from the supplierDrive is given user data to storeDrive

2、is decommissionedDecommissioning drivesThe physical drive is leaving the data centerUser data cannot be permitted to escapeDefault policy:destroy the driveSafest way to ensure bits on the drive dont escapeProduces significant e-wasteImpacts bottomline of drive ownerInhibits second-hand marketsOne te

3、chnique:overwriteWrite over every piece of data held within the driveEvery portion of the drive must be overwritten,before the drive is allowed to leave in one pieceMulti-pass overwriteProblem:drive failureIf any portion of the drive cannot be overwritten,erasure fails and the drive must be destroye

4、dErgo,we still destroy a lot more disks than wed likeMulti-pass overwriteProblem:NVMe page managementOn NVMe drives,bad pages are hidden from the hostThe host cannot even address such pagesHidden pages may have user dataMulti-pass overwriteSolution:drive encryptionEnsure all data on the drive is enc

5、rypted to a keySolution:drive encryptionEnsure all data on the drive is encrypted to a keyForget the keyNVMe self-encrypting drivesThe drive manages encryption keysAllows granular mapping of keys to address rangesNVMe self-encrypting drivesThe drive manages encryption keysAllows granular mapping of

6、keys to address rangesAllows granular mapping of keys to usersUser 1User 2Risk:drive theftKeys must be erased before the drive leaves the DCIf the drive is stolen,the keys surviveA determined adversary may obtain user dataMitigation:key material held outside the driveAll media keys protected with a