At the forefront of technical measures that data controllers must take under the Personal Data Protection Law (KVKK) is "data encryption" to prevent unlawful access to personal data. Storage systems configured in enterprise data centers are the most critical areas where personal data is stored in bulk. Therefore, correctly configuring the encryption architecture in next-generation storage solutions like Dell PowerStore is of vital importance for KVKK compliance and data security.
In this guide, we will discuss the built-in encryption (encryption at rest) features offered in Dell PowerStore storage systems and the steps required for full compliance with KVKK technical measures.
Dell PowerStore Encryption Architecture (D@RE)
Dell PowerStore storage systems use "Data at Rest Encryption" (D@RE) technology to ensure security at the physical disk layer where data is physically stored. This technology ensures that all data written to the storage unit is automatically encrypted before descending to the disk level.
The prominent core features of the PowerStore encryption architecture are as follows:
- Hardware Encryption: Since encryption operations are performed by dedicated hardware components (ASIC/CPU accelerators), there is no loss of performance or latency in storage operations.
- AES-256 Standard: Data is encrypted using the AES-256 (Advanced Encryption Standard) algorithm, which is the industry standard and considered impossible to crack.
- Automatic Key Management: Media Encryption Keys (MEKs) are automatically generated, managed, and securely stored by the system.
Importance of Storage Encryption Under KVKK
The KVKK Technical Measures Guide obliges the protection of systems where personal data is stored against cyber attacks, physical theft, or unauthorized access.
Configuring encryption at the storage layer provides organizations with the following legal and technical advantages:
- Protection Against Physical Theft: If an SSD or NVMe disk removed from the storage unit is plugged into another system, the data inside can absolutely not be read without the decryption key.
- Ease of Data Breach Notification: In the event of a potential data breach under KVKK, the fact that the leaked data was encrypted with strong cryptographic methods is the most important factor that lightens the responsibility of the data controller and strengthens their hand in breach notification processes.
- Prevention of Unauthorized Access: Encryption applied at the storage operating system (PowerStoreOS) level prevents unauthorized software or attackers trying to access disk blocks directly from making sense of the data.
Recommendation: To choose the right storage infrastructure and manage licensing processes during your organization's KVKK compliance process, you can benefit from our Hardware and Software Solutions services.
Dell PowerStore Encryption Configuration Steps
Although encryption configuration and key management processes in Dell PowerStore systems are highly practical, they must be managed carefully.
1. Enabling Encryption
In Dell PowerStore systems, the D@RE (Data at Rest Encryption) feature comes enabled by default. Encryption is automatically deployed during the initial setup (initialization) of the system. To verify the encryption status after setup is complete:
- Log into the PowerStore Manager (GUI) interface.
- Go to the Settings > Security > Encryption tab.
- Confirm that the encryption status is "Enabled" and that the keys are generated healthily.
2. Key Management and Backup
The security of encryption keys is directly related to the accessibility of your data. PowerStore offers Local Key Management, but these keys must be backed up externally.
- Keystore Backup: Regularly back up the "keystore" file containing the encryption keys via PowerStore Manager to a secure, isolated, and encrypted environment. This is the only way to recover your data in the event of a potential hardware disaster.
- External KMS Integration: In organizations with higher security requirements, integrating a KMIP (Key Management Interoperability Protocol) compliant external Key Management System (KMS) is recommended to centralize key management.
3. Restricting Access Privileges
The privileges of users and systems that can access encrypted storage areas should be kept to a minimum.
- Implement strong password policies and multi-factor authentication (MFA) for administrators accessing the PowerStore management interface.
- Allow only the IQN/WWN addresses of the relevant ESXi hosts or servers in LUN and Volume access (LUN Masking/Mapping).
Holistic Approach to Storage Security
Simply encrypting the storage area is not sufficient on its own for KVKK compliance. Backups of stored data must also be securely taken and encrypted. For more detailed information on this subject, you can review our Dell Storage Backup Requirements for KVKK guide. Additionally, to learn about the compliance of your storage systems with ISO 27001 information security standards, you can read our Dell PowerStore Encryption ISO 27001 Compliance article.
To receive professional support in the procurement, installation, and configuration of your storage systems in accordance with KVKK standards, you can benefit from our Enterprise Storage Hardware Procurement Service solutions.
Frequently Asked Questions
Can Dell PowerStore encryption be disabled later?
No. The D@RE encryption feature in Dell PowerStore systems is permanently designed for system security and data integrity. The encryption feature enabled during initial setup cannot be disabled later.
Does the encryption process affect storage performance (IOPS/Latency)?
No. Since encryption and decryption operations on PowerStore are performed inline by hardware ASIC processors, your servers will not experience any performance loss or drop in IOPS.
What happens if encryption keys (Keystore) are lost?
If encryption keys or the keystore file are completely lost and there is no backup, it becomes absolutely impossible to access the data on the disks. Therefore, keeping key backups securely is the most critical management step.
Conclusion
Personal data security and KVKK compliance require a holistic security approach starting from the hardware layer. Built-in hardware encryption (D@RE) and proactive key management steps offered in Dell PowerStore storage systems protect your corporate data completely against cyber threats and physical risks.
To perform a KVKK-compliant security analysis of your storage infrastructure and get detailed information about our professional installation solutions, please contact us.
