StorSimple 8k encryption keys
30 January 2017 – for more information see my post Azure StorSimple Provides a Secure Storage Option for Healthcare Sector
12 November 2015 – Microsoft provides excellent online documentation for StorSimple. However, there has been a little confusion on the issue of StorSimple 8k encryption keys, hence this post. For example, the StorSimple security and data protection document, under the ‘Protect data at rest’ heading states:
We recommend that you rotate cloud storage encryption key quarterly.
The document has it right in the first line ‘The key cannot be modified or added later‘, but the last point is simply false.
The obvious difficulties here are:
- As soon as the at-rest encryption key is changed for a volume container, the device will fail to decrypt cloud snapshots encrypted with the old key
- The device will also fail to decrypt tiered off blocks to Azure from volumes in this volume container, rendering the volumes unreadable.
It’s for this very reason that changing the at-rest encryption keys is explicitly disabled in the interface:
After bringing this point to Microsoft attention, on November 11, 2015 Microsoft has updated the StorSimple security and data protection document, removing the last point. Excellent and quick response. Thank you.
This is not to be confused or mixed up with the Azure Storage Account credentials used by the device at the Volume Container level. Storage Account credentials are the Storage Account name and access key, which are analogous to a user name and password – a set of credentials. It’s not an encryption key. Perhaps calling it ‘password’ instead of ‘access key’ could have avoided some confusion. Storage Account credentials provide access to the Storage Account for a device, a user, or an application. Storage Account credentials can be changed without disruption.
To do so, change the primary access key:
Finally repeat the last 2 steps to regenerate and synchronize the secondary access key.