Today's world demands airtight security more than ever. Key NVMe security features, such as namespaces, the Lockdown command and TLS in NVMe over TCP, keep data safe.
NVMe is the dominant interface for enterprise SSDs, and both its uses and features are expanding. However, greater adoption of any enterprise technology shines a light on its gaps.
As with all storage, security is more about protecting data on drives than the drives themselves. In many ways, NVMe SSDs use similar security as other types of drives -- particularly in the areas of encryption and key management.
New developments specific to NVMe security bear watching. These include NVMe-oF and features added to the NVMe 2.0 specification released in mid-2021.
NVMe 2.0 security features
The NVMe 2.0 specification brings performance enhancements but also security improvements.
Lockdown
The 2.0 specification adds a Command Group Control, also known as Lockdown. Lockdown enables admins to put a drive in a state where it can read and write data while other features are locked. This prevents intentional and unintentional changes to a drive's feature set after it is provisioned, such as a format command that wipes out all data on a drive, or the addition of an encryption key to a drive.
The Lockdown command is an expansion of the Namespace Write Protect capability introduced in NVMe 1.4. That NVMe security capability enables a host to put namespaces into write protect mode until an admin unlocks the feature or the drive is power-cycled. The Lockdown addition in NVMe 2.0 expands this capability to all other drive features. The Lockdown command can prohibit execution of an admin command, a set feature command that modifies a specific feature identifier, or an NVMe management interface command.
The NVMe 2.0 specification brings performance enhancements but also security improvements.
Namespaces
Namespaces also play a role in securing NVMe drives. Namespaces divide SSDs into logically separated spaces that admins can address individually. Each namespace has a dedicated I/O queue. Namespaces are tied to an NVMe controller, and each namespace acts as a separate SSD.
Break up an NVMe SSD into multiple namespaces to deliver logical isolation, security isolation by enabling encryption per namespace and multi-tenancy. It also helps NVMe security to separate storage networks physically or logically from applications and other networks. That can enable each physical or logical network to have its own access controls and authentication.
Transport Layer Security protocol
Also beginning with NVMe 2.0, all NVMe over TCP implementations must support Transport Layer Security (TLS) 1.3, the latest version of the TLS cryptographic protocol. NVMe previously supported TLS 1.2.
TLS is the most common security protocol in use. It encrypts data and authenticates connections between machines. With NVMe over TCP on the rise, TLS support has become more important to NVMe drives.
Version 1.3 enables users to encrypt data earlier during a handshake than was possible in 1.2. This feature reduces the steps of a handshake and starts data transmission between client and server sooner. TLS 1.3 also removes obsolete or ineffective encryption algorithms that were in TLS 1.2.
Security issues to consider with NVMe use
NVMe-oF -- particularly NVMe over TCP -- results in data movement that creates opportunities for attacks. This makes encryption and support for the latest TLS protocol important.
NVMe-oF results in more data movement across data centers, which increases the need to encrypt data in transit. SSDs in NVMe-oF usually have stricter security needs than those in just-a-bunch-of-flash architectures, for example. Ask for encryption and other security feature information when buying drives and other networking devices, such as switches, adapters and routers, for NVMe-oF setups.
NVMe over TCP potentially opens the door for man-in-the-middle (MitM) attacks, where an intruder can intercept, delete or alter data sent between two devices. Methods of carrying out these attacks include the following:
TCP session hijacking, where an attacker acts as an authorized computer on a network;
storage traffic sniffers, which monitor and capture data sent by a server in real time; and
storage masquerading, in which the attacker inserts a rogue storage device into a network to steal or alter data or metadata from a server.
Strong encryption and authentication can reduce the risk of data loss and access denial. The NVMe specification supports self-encrypting drives, Trusted Computing Group Opal 2.0 encryption and strong authentication, such as DH-HMAC-CHAP. These NVMe security measures can thwart a MitM attack because the intruder would not be able to decrypt intercepted data.
It requires more than technology to be fully secure. An organization must develop secure processes, train employees, and test and monitor devices. To defend against ransomware on any storage media, regularly back up data, make the data immutable and store some of the backups physically offline.
