datastore encryption type
Enables or disables encryption of the data store and specifies the type of encryption to use.
Syntax
[no] datastore encryption type {NONE | AES_128 | AES_192 | AES_256}
Parameters
NONE | Does not encrypt the data store. Encryption types can be lower-case. |
AES_128 | Uses the Advanced Encryption Standard (AES) 128-bit cipher setting. |
AES_192 | Uses the AES 192-bit cipher setting. |
AES_256 | Uses the AES 256-bit cipher setting. This encryption scheme is the most secure. |
Usage
Encrypting the data store significantly limits the exposure of sensitive data in the event that the system is compromised by loss, theft, or a security violation. The secure data is difficult for a third party to retrieve. Before you encrypt the data store, the secure vault must be unlocked. For details, see
secure-vault.
Before you encrypt the data store, the secure vault must be unlocked. The encryption key is stored in the secure vault.
Encrypting the data store can have performance implications; generally, higher security means less performance. Several encryption strengths are available to provide the right amount of security while maintaining the desired performance level. When selecting an encryption type, you must evaluate the network structure, the type of data that travels over it, and how much of a performance trade-off is worth the extra security.
You must clear the data store and reboot the SteelHead service on the SteelHead after turning on, changing, or turning off the encryption type. After you clear the data store, the data cannot be recovered. If you do not want to clear the data store, reselect your previous encryption type and reboot the service. The SteelHead uses the previous encryption type and encrypted data store.
To encrypt the data store
1. Make sure your secure vault is unlocked. The encryption key is stored in the secure vault.
secure-vault unlock
2. Turn on data store encryption;
datastore encryption type AES_256
3. Clean the data store and restart the SteelHead service:
restart clean
Encrypted Data Store Downgrade Limitations
The SteelHead appliance cannot use an encrypted data store with an earlier RiOS software version, unless the release is an update (4.x.x). For example, an encrypted data store created in 4.1.4 would work with 4.1.2, but not with 4.0.x.
Before downgrading to an earlier software version, you must select none as the encryption type, clear the data store, and restart the service. After you clear the data store, the data are removed from persistent storage and cannot be recovered.
To downgrade the data store
1. Turn off data store encryption.
datastore encryption type NONE
2. Clean the data store and restart the SteelHead service:
restart clean
If you return to a previous software version and there is a mismatch with the encrypted data store, the status bar indicates that the data store is corrupt. You can either:
• Use the backup software version after clearing the data store and rebooting the service.
Or
• Return to the software version in use when the data store was encrypted, and continue using it.
For details, see the SteelHead Management Console User’s Guide.
Example
amnesiac (config) # datastore encryption type AES_192
amnesiac (config) # restart clean
Product
SteelHead CX, SteelHead EX, SteelHead-v, SteelHead-c
Related Commands