When using Filesystem Encryption for Spectrum Scale, “which encryption algorithm should I use?” is a question that often comes to mind.
Spectrum Scale supports the following list of algorithms as of the 5.0.3 release: (as described in https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.3/com.ibm.spectrum.scale.v5r03.doc/bl1adv_encryptionpolicyrules.htm which is under following table of content category “Administering -> Encryption -> Encryption policy rules”)
From the above set Spectrum Scale Filesystem Encryption supports two kinds of default rules:
DEFAULTNISTSP800131A which maps to :
DEFAULTNISTSP800131AFAST which maps to:
So which one to use ? If you really observe, the only difference between the two are the AES key lengths,
AES 256 vs AES 128:
Note: Also more often than not security features have some kind of correlation with performance of systems. With that in mind, for some workloads which do large random reads / Direct IO or even sequential workloads, making use of the DEFAULTNISTSP800131AFAST rule gives the stated security with relatively better performance.
Another question that may come up is: Should one make use of CBC or XTS ?
The general consideration is that XTS is slightly less malleable, that is, it is slightly less susceptible to attacks where the ciphertext is altered.
Note: There could be some workloads which perform better when using CBC. If performance is one of your concerns then sanity test your workload with different options (including the encryption mode) and select what best suits your needs.
Next question that comes up is , say when the following rule is applied what happens ?
RULE ‘myEncRule1’ ENCRYPTION ‘E1’ IS
When a file is encrypted using the above rule , following is what happens:
the file is encrypted with a 256-bit FEK, using AES in XTS mode; the FEK is preprocessed with HMAC with SHA-512, and the FEK is then wrapped : with AES key wrap, with keys 1:RKM_1 and 2:RKM_2 combined via one round of XOR followed by one round of HMAC with SHA-512 .
Thanks to Alessandro Sorniotti for his review.