ACOS supports data-at-rest encryption to protect newly created virtual volumes, NFS files, and iSCSI LUNs. When data is written, the system generates a Data Encryption Key (DEK) through the data encryption engine and encrypts the data with the DEK before storing it on physical disks. When data is read, the system uses the corresponding DEK to decrypt the data and returns the plaintext data to the client.
To enhance the security of DEK, the system uses a Key Encryption Key (KEK) to encrypt and protect the DEK. KEK is generated and maintained uniformly by the key management service. The system supports both the native key management service and third-party key management services. When using the native key management service, the system further encrypts the Key Encryption Key (KEK) with a Master Encryption Key (MEK), creating a three-layer protection mechanism.
Through a multi-layer encryption mechanism, the encryption feature can effectively isolate and protect data, providing reliable support for scenarios with high data security requirements while ensuring compliance.
