When using Filesystem Encryption for Spectrum Scale,
"which encryption algorithm should I use?" is a question that often comes to mind.
Spectrum Scale supports the following list of algorithms as of the 5.0.3 release: (as described in
https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.3/com.ibm.spectrum.scale.v5r03.doc/bl1adv_encryptionpolicyrules.htm which is under following table of content category "Administering -> Encryption -> Encryption policy rules")
AES:128:XTS:FEK:HMACSHA512
AES:256:XTS:FEK:HMACSHA512
AES:128:CBC:FEK:HMACSHA512
AES:192:CBC:FEK:HMACSHA512
AES:256:CBC:FEK:HMACSHA512From the above set Spectrum Scale Filesystem Encryption supports two kinds of default rules:
DEFAULTNISTSP800131A which maps to :
ALGO ’AES:256:XTS:FEK:HMACSHA512’
COMBINE ’XORHMACSHA512’
WRAP ’AES:KWRAP’ANDDEFAULTNISTSP800131AFAST which maps to:
ALGO ’AES:128:XTS:FEK:HMACSHA512’
COMBINE ’XORHMACSHA512’
WRAP ’AES:KWRAP’So which one to use ? If you really observe, the only difference between the two are the AES key lengths,
AES 256 vs AES 128:As of today, both are NIST compliant. AES 256 makes use of 256 bit keys while AES 128 makes use of 128 bit keys. There are additional internal differences in the number of rounds used , etc which is explained in https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf256 bit is theoretically considered more secure as to brute force a 256 bit key length is much harder compared to 128 bit which itself is hard.Some deployments or business policies might have rules which impose 256-bit keys.If one thinks 128 bits is good enough, and if the deployment owner is very concerned about encryption overhead then 128-bit keys is a valid choice since it results in lower performance overhead.Note: Also more often than not security features have some kind of correlation with performance of systems. With that in mind, for some workloads which do large random reads / Direct IO or even sequential workloads, making use of the DEFAULTNISTSP800131AFAST rule gives the stated security with relatively better performance.
Another question that may come up is: Should one make use of CBC or XTS ?The general consideration is that XTS is slightly less malleable, that is, it is slightly less susceptible to attacks where the ciphertext is altered.
Note: There could be some workloads which perform better when using CBC. If performance is one of your concerns then sanity test your workload with different options (including the encryption mode) and select what best suits your needs.
Next question that comes up is , say when the following rule is applied what happens ?
RULE 'myEncRule1' ENCRYPTION 'E1' IS
ALGO ’AES:256:XTS:FEK:HMACSHA512’
COMBINE ’XORHMACSHA512’
WRAP ’AES:KWRA
KEYS('1:RKM_1', '2:RKM_2')
When a file is encrypted using the above rule , following is what happens:
the file is encrypted with a 256-bit FEK, using AES in XTS mode; the FEK is preprocessed with HMAC with SHA-512, and the FEK is then wrapped : with AES key wrap, with keys 1:RKM_1 and 2:RKM_2 combined via one round of XOR followed by one round of HMAC with SHA-512 .
Thanks to Alessandro Sorniotti for his review.