VM Squared
Docs
VM Squared

Full Disk Encryption

Warning

Full disk encryption requires a clean cluster; otherwise, storage nodes will need to be decommissioned and reingested to enable encryption.

This procedure will be during the configuration of the first static node, which after enabling the encryption, the node should be rebooted if the automount_suspend flag was set.

Requirements

  • Minimum of three of the following:

    • Any PIV-compatible token (Only traditional cryptography is supported. Management of token is not supported.)

    Or, recommended:

  • PIN to secure token

Configuring Full Disk Encryption

Warning

The VM Squared cluster’s disks can be fully encrypted; however, full disk encryption requires at least one static node to have a PIV-compatible token attached. For full control and function of the PQC / Hybrid FDE, a YubiKey 5 token is required to be attached to at least one static node. A minimum of three tokens is recommended for redundancy. If all tokens are lost or damaged, the cluster’s data is irrecoverable even by SoftIron.

With these tokens attached, the manage-disk-encryption command can be ran from the chosen static nodes. The encryption will detect any tokens and verify the requirements and functionality.

Preview

From the dashboard console, run the manage-disk-encryption command.

root@si-storage-1:~# manage-disk-encryption 
SoftIron Full Disk Encryption Management Tool
Running on a static node and found a smartcard we can manage.
Smartcard is not in FIPS mode. RSA key length will be 4096 bits.
0. Exit
1. Set cluster smartcard PIN fact
2. Change smartcard PIN
3. Change smartcard MGMT key
4. Change smartcard PUK (unblock) key
5. Unblock smartcard PIN
6. Manage smartcard RSA keys
7. Manage smartcard ML-KEM (post-quantum) keys
8. Reset smartcard to factory defaults

The above tool will be used for both traditional and post-quantum methodologies of disk encryption. Once initialized, the tool will scan the hardware attached and determine the functionality supported.

This procedure will be during the configuration of the first static node, which after enabling the encryption, the node will be rebooted.

PIV token

If the PIV token is preloaded with a certficate, the PIN can be set and propogated to the cluster via Option 1. This is the only option available if the tokens are not the YubiKey 5-series.

Select an option: 1
This sets the cluster-wide PIN to use for all attached smartcards.
Note: All smartcard PINs must match on all nodes!  The default PIN is 123456 if it has never been changed.
PIN is already set and is: 123456
Enter the smartcard PIN (6-8 digits) or Ctrl+C to go back: 123456
Cluster PIN changed successfully.

YubiKey 5-series token

The configuration of PQC full disk encryption is completely managed by the built-in tool. The procedure is designed to be followed via the set menu order starting at Option 2. The steps below will preview the requirements from each option selection.

  1. If a new, unused YubiKey 5-series token is being utilized to encrypt the cluster, the procedure for configuring full disk encryption will start by setting the PIN for the token via Option 2.

    Select an option: 2
Note: All smartcard PINs must match on all nodes!  The default PIN is 123456 if it has never been changed.
Enter the current PIN: 
Enter the new PIN: 
Repeat for confirmation: 
New PIN set.

  2. The management (MGMT) key can be provided via Option 3. This key also allows the management of the RSA and ML-KEM keys.

    Select an option: 3
Note: Only used for key management functions.
The default MGMT key is 010203040506070801020304050607080102030405060708 if it has never been changed.
Enter the current management key [blank to use default key]: 
Enter the new management key: 
Repeat for confirmation: 
New management key set.

  3. Next, a PIN Unlock Key (PUK) will be input. This PUK is used in the event that the PIN is incorrectly entered and access is locked. It can be set or changed via Option 4.

    Select an option: 4
Note: Only used to unblock the card after too many failed PIN attempts.
The default PUK is 12345678 if it has never been changed.
Enter the current PUK: 
Enter the new PUK: 
Repeat for confirmation: 
New PUK set.

  4. In the event the PIN is locked from incorrectly entering, the PUK can be used to regain access with a new PIN via Option 5.

    Select an option: 5
Note: Using the PUK, we can unblock the smartcard if too many failed PIN attempts have occurred.
The default PUK is 12345678 if it has never been changed.
Enter PUK: 
Enter a new PIN: 
Repeat for confirmation: 
New PIN set.

  5. With the PIN and MGMT keys set, the RSA key can now be generated on the YubiKey token, initialized by the encryption tool Option 6.

    Select an option: 6
Note: RSA keys are stored in the smartcard PIV authentication slot (9a).
Key management functions require knowing the MGMT key and PIN!
FIPS-validated tokens are limited to a key size of 2048 bits.
0. Return to main menu
1. Generate new RSA key pair
2. Get RSA key information
3. Erase stored RSA key
Select an option: 2
Key slot:               9A (AUTHENTICATION)
Algorithm:              RSA4096
Origin:                 IMPORTED
PIN required for use:   ONCE
Touch required for use: NEVER

  6. The ML-KEM key is the penultimate step before the PIN is propogated to the cluster via Option 1. It will be generated on the static node and auto-populated onto the token via the tool’s Option 7.

    Select an option: 7
Note: ML-KEM private keys are stored in the 0x005fc108 PIV object.
ML-KEM public keys are stored in the 0x005fbeef PIV object.
Key management functions require knowing the MGMT key and PIN!
ML-KEM-1024 is used for both FIPS and non-FIPS tokens.
0. Return to main menu
1. Generate new ML-KEM key pair
2. Get ML-KEM key information
3. Erase stored ML-KEM key
Select an option: 2
mlkem1024 public key:
PQ key material:
    <PUBLIC KEY HERE>

  7. Finally, with all keys created and stored on the token, Option 1 can be selected to populate the cluster fact for the PIN that was set via Option 2.

    Select an option: 1
This sets the cluster-wide PIN to use for all attached smartcards.
Note: All smartcard PINs must match on all nodes!  The default PIN is 123456 if it has never been changed.
PIN is already set and is: 123456
Enter the smartcard PIN (6-8 digits) or Ctrl+C to go back: 123456
Cluster PIN changed successfully.

Info

This will only need to be redone if the PIN is changed from its initial value. Locking and unlocking via the PUK will not erase the file.

After all nodes are configured with identical keys, the disks can be decrypted by any and only one of the tokens configured to the nodes; therefore, loss of all tokens will result in the lost ability to decrypt the disks.

Key features of Post-Quantum Cryptography

  1. Quantum-resistant algorithms: Post-quantum cryptography involves designing algorithms based on mathematical problems that quantum computers cannot efficiently solve. Current topical research includes areas such as lattice theory, multivariate systems, hash-based signatures, and error-correcting codes.:
  2. Long-term security: Post-quantum cryptography algorithms aim to protect data not only today but also in the future. Even if quantum computers are not fully operational yet, sensitive data intercepted today (for example, government secrets and financial transactions) could be stored and decrypted years later when quantum computers become viable. Therefore, moving to quantum-resistant cryptography now is critical for protecting long-term data.
  3. Hybrid systems: Some organizations are adopting hybrid cryptographic systems that combine classical and quantum-resistant algorithms. This provides an additional layer of protection while the world makes its transition to purely post-quantum cryptography.

PQC FDE on VM Squared is completely self-contained, internal to the cluster itself on its static nodes. Still making use of a USB interfacing token, the disks’ header labels are further obfuscated behind a hybrid RSA and ML-KEM key pairing.

PQC FDE Diagram
Prev
Datastore Resilience
Next
Snapshots and Backups