VAST Data — Storage Encryption with Eviden KMS¶

VAST Data storage clusters use KMIP for external encryption key management (EKM). By connecting a VAST Data cluster to Eviden KMS, you ensure that data encryption keys (DEKs) and key encryption keys (KEKs) are centrally managed, audited, and never stored unprotected on the storage appliance.

Overview¶

What VAST Data does¶

When you configure an external KMS in the VAST Data management console, the storage cluster performs the following KMIP operations for encryption key lifecycle management:

Key lifecycle workflow¶

The following sequence diagram shows the complete lifecycle as observed in production logs (May 2026):

sequenceDiagram
    participant V as VAST Data
    participant K as Eviden KMS

    Note over V,K: Session Start
    V->>K: DiscoverVersions (KMIP 1.4)

    Note over V,K: Key Creation (per encrypted path, 2–3 keys)
    loop For each key in group
        V->>K: Create (AES-256 SymmetricKey)
        V->>K: AddAttribute (Name)
        V->>K: AddAttribute (ObjectGroup)
        V->>K: AddAttribute (OperationPolicyName)
        V->>K: Activate
    end

    Note over V,K: Initial Key Fetch
    loop For each key
        V->>K: Locate (by name)
        V->>K: Get (plaintext key material)
    end

    Note over V,K: Continuous Monitoring (~61s interval)
    loop Forever
        loop For each key
            V->>K: Locate (by name)
            V->>K: GetAttributes (State, ActivationDate)
        end
    end

    Note over V,K: Key Rotation (triggered externally)
    loop For each key to rotate
        V->>K: Locate (find current key by name)
        V->>K: ReKey (new UID returned, old key stays Active)
        V->>K: Locate (verify new key by name)
        V->>K: Get (fetch new key material)
    end

    Note over V,K: Key Decommissioning (later, on encrypted path deletion)
    loop For each key to retire
        V->>K: Locate (find key by name)
        V->>K: Revoke (Active → Deactivated)
        V->>K: Locate (confirm state)
        V->>K: Destroy (permanently delete)
    end

Key naming convention¶

VAST creates keys with structured names following the pattern:

VAST_EKM_KEY_2_<encryption_group_uuid>_<index>

• VAST_EKM_KEY_2_ — static prefix (version 2 of VAST’s naming scheme)
• <encryption_group_uuid> — UUID identifying the encrypted path/group
• _<index> — 0-based index within the group (typically 0 or 1)

These names are used in Locate operations to find keys associated with specific encryption groups. After ReKey, the name is transferred to the new replacement key.

Prerequisites¶

• Eviden KMS server running (FIPS or non-FIPS mode)
• TLS enabled on the KMS with mutual certificate authentication
• Client certificate and CA certificate configured for the VAST cluster
• VAST Data Platform 5.x or later with External Key Manager (EKM) feature enabled

Server-Side Setup¶

1. Configure TLS¶

VAST Data connects via HTTP POST to /kmip using KMIP 1.4 binary TTLV with mutual TLS authentication. Configure your kms.toml:

[tls]
tls_cert_file        = "/etc/cosmian/kms/server.crt"
tls_key_file         = "/etc/cosmian/kms/server.key"
clients_ca_cert_file = "/etc/cosmian/kms/clients-ca.crt"

2. Generate client certificates¶

Create a client certificate for the VAST cluster signed by the same CA configured in clients_ca_cert_file:

# Generate VAST client key and CSR
openssl genrsa -out vast-client.key 2048
openssl req -new -key vast-client.key -out vast-client.csr \
    -subj "/CN=vast-cluster-01/O=VAST Data"

# Sign with CA
openssl x509 -req -in vast-client.csr \
    -CA clients-ca.crt -CAkey clients-ca.key -CAcreateserial \
    -out vast-client.crt -days 365

# Convert to PKCS#12 for VAST (if required by your VAST version)
openssl pkcs12 -export -in vast-client.crt -inkey vast-client.key \
    -out vast-client.p12 -name "vast-cluster-01"

VAST-Side Configuration¶

1. Navigate to EKM settings¶

In the VAST Data management console:

1. Go to Settings → Security → External Key Manager
2. Click Add External KMS

2. Enter KMS connection details¶

3. Test connection¶

Use the Test Connection button in the VAST management console to verify connectivity. A successful test performs a Create + Get + Destroy cycle.

Compatibility Notes¶

KMIP 1.x attributes¶

VAST sends the OperationPolicyName("default") attribute via AddAttribute after key creation. This is a KMIP 1.x attribute that was deprecated in KMIP 1.3 and removed in KMIP 2.0. The Eviden KMS silently ignores this attribute with a log warning:

WARN KMIP 2.1 does not support the KMIP 1 attribute OperationPolicyName("default")

This warning is informational and does not affect functionality.

ReKey behavior¶

When VAST sends a ReKey request, the KMS implements KMIP 2.1 §6.1.46:

1. The KMS creates a new symmetric key with a new Unique Identifier
2. The Name attribute is transferred from the old key to the new key
3. Bidirectional links are set: ReplacementObjectLink on old → new, ReplacedObjectLink on new → old
4. The old key’s State is unchanged (it remains Active) — the KMIP spec does not deactivate the existing key during ReKey
5. VAST can then Locate by name and finds the new key

Monitoring interval¶

VAST polls the KMS every ~61 seconds per key with Locate + GetAttributes to verify keys remain in Active state with a valid ActivationDate. This is normal health-check behavior and produces high-volume but lightweight traffic.

Troubleshooting¶

Verified Operations¶

The following KMIP operations have been validated with VAST Data production environments (logs from May 2026):