As the Pivotal Greenplum server boots up and mounts an encrypted partition, it needs to exchange information with a key management server. Once the proper handshakes have taken place, the Zettaset XCrypt Full Disk technology allows a decrypted version of the server volumes to be mounted and treated like a normal partition. Zettaset provides the pieces to automate all of this and integrate with your existing key management and HSM (hardware security module) solutions. The Zettaset XCrypt Full Disk solution also includes a virtual key manager and virtual HSM which can alternatively be deployed if needed.
Encrypting Data at Rest
Figure 1 depicts the mount points that you would typically encrypt in a Pivotal Greenplum environment in order to protect data. In this scenario, you would be using the Zettaset key management server to store and manage credentials. As the servers in the cluster booted, they would do a key exchange with the Zettaset server following the LUKS specification. If this exchange works, the server would then be able to mount the /data partition us dm-crypt so that the master could read the files it needs out of /data/master. The segment nodes would each individually go through their own exchange and validations so that they could access the /data partition which contains the files necessary to run the primary, and mirror and present their data.
Encrypting Data in Motion
Many companies also want to protect data as it is passed between nodes. Normally, this traffic sits on its own interconnect, and it is segmented away from any other network access. This is typically enough protection for most use cases. Since we see more cloud and virtualized deployments of Pivotal Greenplum, there are more requests to encrypt the traffic that passes between the nodes. Zettaset’s XCrypt Full Disk encryption for DIM (Data In Motion) installs and manages the pieces that allow you to encrypt data as it passes between nodes. The encryption is applied to communication from the master to segment hosts, segment hosts to the master, and between the segment hosts themselves.
Read the complete blog by Tanzu’s Scott Kahler and Ian Redzic here. The article provides a comprehensive description of how Zettaset works in Pivotal Greenplum or VMware Tanzu GemFire environments.