Datrium Blanket Encryption combines always-on deduplication, compression and encryption so that data is secure – or so it claims – whether that data is at a host, in flight across a network, or at rest in persistent storage.
When it says "at the host," it means that data is deduplicated and compressed and encrypted in the application server memory. Then when it is moved off the host and is in flight across a network or lands at some storage resource, it stays encrypted all the time.
You could call it end-to-end encryption. Exactly how it works – which algorithms, key lengths, source code auditing, and so on – isn't disclosed in Datrium's announcement this week, although this video mentions AES-256 XTS using Intel and AMD's hardware acceleration, and a key manager. If you're interested in this Blanket tech, be sure to rattle the biz for all the details you can out of them.
California-based Datrium asserts that, generally, leading storage arrays and hyper-converged systems only protect data at rest and not in the host server or in flight, meaning, it claims, they do not protect against host or network intrusions. Guest operating systems and hypervisors offer encryption at the source, but at the expense of data reduction, it asserts.
Datrium DVX arrays have their controller software running in accessing servers using some of the host server's processing cores. This DVX controller software thus has access to DVX array data in the host server's memory, which is why it can run data reduction and encryption algorithms there, and so encrypt data before it leaves a host server's memory.
An ecstatic canned quote about Datrium Blanket Encryption (DBE) comes from Joel Holland, CTO at Security On-Demand: "At Security On-Demand, we have pioneered ground-breaking cloud-based services in security and threat management. Encrypting data in flight and at rest is critical, but without data reduction, it adds cost to the protection every business needs. The fact we can now get Blanket Encryption from Datrium that dedupes, compresses and encrypts data from application-to-disk is mind-blowing, and makes Open Convergence a no-brainer as a part of our secure cloud infrastructure."
DBE is all software and includes a built-in key management system. It can be retroactively applied to in-place Datrium DBX arrays, as its software customers don't need to buy self-encrypting drives with which to populate storage arrays, hyperconverged infrastructure appliances or a server's direct-attached storage.
The product will be available in April with list pricing at $10,000 per DVX array. ®