1 2 Previous Next 19 Replies Latest reply: Mar 6, 2014 6:29 AM by Ben Conrad RSS

VNX Host Encryption


Hi all,


Anyone use this or have any details about it. All I can find is the marketing material. Can't seem to find any technical docs on how to actually implement or design this.


Also is PowerPath encrption and host encryption the same thing?


Seems to be bundled with the Security and Compliance suite. Is ther some software on the Event Enabler CD?


Seems to link with RSA in some way but how?


Looks like a useful product.


Help appreciated as always.



  • 1. Re: VNX Host Encryption

    on Microsoft you can use bitlocker, you can also user PowerPath encryption but that along is not enough, you will also need to purchase RSA RKM appliances to manage your encryption keys.

  • 2. Re: VNX Host Encryption

    Are you recommending bitlocker as an alternative which doesn't need the RSA RKM appliances?


    I assume you are saying PowerPath encryption and VNX Host encryption both need RSA appliances?

  • 3. Re: VNX Host Encryption

    yes, you can use bitlocker as an alternative to PowerPath encryption on Windows 2008 (which requires RSA RKM appliances but provides centralized key management)


    I am not sure what you mean by VNX host encryption, yes ..you need RSA appliances (two) for PowerPath encryption.  If you want to test PowerPath encryption, EMC can provide a VM that runs RKM software but it's only good for POC, not for production deployment.

  • 4. Re: VNX Host Encryption
    Christopher Imes

    "VNX Host Encryption" leverages PowerPath Encryption technology, and is an entitlement allowing the customers who purchase the "VNX Security and Compliance Suite" to encrypt as many hosts that are attached to the VNX for which the license was sold.


    In contrast, a "PowerPath Encryption" (proper) license, from an entitlement perspective, is per host.  For instance, this may make sense in an environment with other arrays such as Symmetrix/VMAX since a "VNX Host Encryption" license as the name suggests is limited to just the VNX for which it was purchased.


    As dynamox mentioned, the "VNX Security and Compliance Suite" (of which "VNX Host Encryption" is included) does not include the required RSA DPM (Data Protection Manager) key server appliances (formerly known as RKM) which must be purchased/licensed separately.  Also as he mentioned, since they are sold in redundant pairs, you will need a (minimum of) two.


    Please follow-up with your service provider for more information.

  • 5. Re: VNX Host Encryption

    Christopher, Thanks for your answer but what I need to know is how you implement it? What documentation does EMC have about this apart from marketing material. Is there something you need to install on the host to enable it etc... Obviosuly with PowerPath encrytion you install powerpath but what do you install for host encryption? I can't ask my service provider because I am the service provider, the next level up is EMC. Regards Smarti.

  • 6. Re: VNX Host Encryption
    Christopher Imes



    "VNX Host Encryption" is simply a entitlement/licensing title.  It is PowerPath Encryption but grants the user to connect as many hosts as they'd like to just the VNX that the "VNX Security and Compliance Suite" was purchased.  Otherwise, it is fully featured PowerPath Encryption.  Also, remember as noted above, it does NOT include the required RSA DPM key server appliances which are sold in pairs.  Think of it as an entitlement of PowerPath Encryption by the array (but still licensed per host via a license key).


    Or has this thread become a question of how to implement PowerPath Encryption itself?  This would not be the proper forum for that.

  • 7. Re: VNX Host Encryption

    Chrisopher, Thanks for the reply. This answers part of my qustion regarding Host Encryption and PowerPath are same thing is just a licensing thing. I guess when you install and license powerpath, because it connects to a VNX array it will automatically be licensed for host encrytion provided of course you have the RSA appliances? Regards Smarti

  • 8. Re: VNX Host Encryption
    Christopher Imes



    No, you will receive a single PowerPath Encryption license (versus individual unique licenses if purchasing the PowerPath Encryption License proper) to use across all of your hosts that will be connected to just the VNX that the "Security and Compliance Suite" is entitled.  Please note, I suggested this in one of my earlier posts with the following comment:



    (but still licensed per host via a license key)



    Also, please note, this entire conversation is in regards to just the PowerPath Encryption (sub) feature.

  • 9. Re: VNX Host Encryption



    A little bit old topic, but I have to refresh it, because I can not get usefull information how to use "VNX host encrytpion" on desired hosts. I understand that this license is per specific array and it can be used on every hosts connected to this array. I know also that PowerPath has diffrent licenses, one for multipathing and another for encryption with RSA.


    We have VNX with host encryption, and the question is in what form this license should be delivered ?

    We have RKM ( now DPM ) appliances already and we wish to use encryption between hosts and VNX, how can we get license for PowerPath encryption or maybe there is specific installation file on CD delivered with VNX ( unfortunatelly i am not able to check this now ) ?


    A little bit confusing...


    please help

  • 10. Re: VNX Host Encryption
    Christopher Imes

    Open a ticket with support.  The licensing team is monitoring such support tickets and will intercept them and respond.

  • 11. Re: VNX Host Encryption

    Thank you  ..  i would also want to know the steps involved to implement the VNX Security and Compliance Suite with DPM/RKM . .

  • 12. Re: VNX Host Encryption

    I'm a fan of the Encrypted HBAs from Emulex... In my testing they have caused the least performance impact on heavy use environments..  Just keep in mind no matter what you do anyone with access to the server and the data will not realize it's encrypted.  Out legal team thought using encryption like this would prevent a root use from being able to see the data - which  is not the case.

  • 13. Re: VNX Host Encryption

    Appreciate that this is resurrecting an old post so apologies but thought it might be the easiest way of finding out.

    Basically I have someone who is interested in utilizing encryption on the VNX. Their ideal scenario would be to use SEDs but the SEDs available on the VNXe does not offer the required performance.


    I advised regarding the VNX Host Encryption which is interesting but the additional performance impact on the hosts is something that we are keen to avoid.

    I had a couple of questions:

    1. Is there a large overhead on the host side - between performance impact and additional management - that anyone has any experience of?
    2. In the VNX Host Encryption DS there is mention of hardware-assist HBAs which the encryption process can be offloaded to. Does anyone have experience with these and more importantly are they still available?


    Many thanks.

  • 14. Re: VNX Host Encryption

    Something to think about is how your security / audit guys view this data.  When they log on to a host with Array bases encryption or HBA based encryption,  the data still look unencrypted... An end user on the host can simple look at the file and it will not be encrypted - that is because the host was access to it.

1 2 Previous Next