This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."
Download it now to read this article plus other related content.
Decru Lifetime Key Management
Decru's LKM is available as a software-only package or as an appliance (Network Appliance Inc. purchased Decru earlier this year). The LKM client software runs on Windows, while the LKM appliance uses DecruOS. The LKM system supports Decru's DataFort appliances for the encryption of NAS, DAS, SAN, tape and iSCSI storage. One key management appliance can support up to 100 encryption appliances and more than 10 million keys. As many as 16 LKM appliances can be clustered across multiple sites for high availability, with automated key replication among appliances. All LKM appliances can be managed through a single interface.
The system provides automatic, globally distributed backup, replication and recovery of encryption keys; automated key sharing ensures keys are provided securely without open transmission of keys in the clear and without the need for local, insecure key storage. Additional features include role-based access control, an OpenKey Partner Program that offers APIs and reference implementations, and a true hardware-based random-number generator that allows third-party encryption products to request a random number from the key management appliance.
The LKM appliance incorporates APIs to allow third-party encryption products to leverage Decru's key management system to generate, store and manage keys. Symantec and Quantum Corp. are charter members of Decru's OpenKey Partner Program, and have agreed to partner
Each appliance is built on the DataFort FIPS-certified Storage Encryption Processor. Encryption keys never leave this processor in cleartext. The processor itself is coated in a hardened epoxy to prevent physical access from probes or other attempts to gain access to the chip. The chassis is hardened, has tamper-evident seals, and an intrusion-prevention system that can be configured to delete local copies of keys if the box is tampered with and/or compromised.
Administrators use smart cards for two-factor authentication. A comprehensive, cryptographically signed and tamper-evident audit log maintains detailed information about all key movement and administrative actions. The LKM software is priced at $10,000 per license; pricing for the LKM appliance hasn't been announced yet.
This was first published in October 2006