With Spectrum Virtualize 7.8 release, feature to put snapshots in cloud is supported. Details on how to start setup are here .
These snapshots are stored in the form of objects. Objects contain both metadata and data and for a large size volume (We support upto 256 TB volume size), there could be millions of blobs in cloud.
What if I don’t have Encryption on SVC ?
These objects are created by Spectrum Virtualise code and are uploaded to cloud using internal gateway. These objects are not in human readable format and in case a cloud account is compromised (It is not a trivial thing though), this snapshot data isn’t directly usable by a rogue user. Any restoration of data requires a Spectrum Virtualise code to run on the system with few other mandatory parameters.
This implies that if a customer is opting for an On-premise cloud using Open Stack Swift and doesn’t want encryption, in that case also, data is very secured in cloud, though IBM highly recommends encryption to be ON.
Advantage with Encryption ON:
When encryption is enabled on SVC or Storwize cluster, data is encrypted first and then put in cloud (public or private) with encryption keys at various levels i.e Cluster, Cloud account layer, volume layer, snapshots generations level etc.
Without access of correct keys, data can never be restored by unauthorised user.
What if all my keys are compromised ?
Spectrum Virtualize provides a re-keying mechanism which can swiftly change all keys of the system including the ones relevant to the cloud accounts. It is a 2 step process and has fault tolerance of SVC as well.
USB vs SKLM Encryption ?
With USB mode encryption, upto 3 USB’s can be enabled with master keys which are critical for accessing data onto cloud.
In case of a site failures, physical access to these keys is required for regeneration of data.
In case of SKLM based keys, keys are stored onto IBM SKLM servers. SKLM stands for Secure Key Life Manager and it acts a secured central repository for all your datacenter keys be it from servers or storages. In case of regeneration of cloud data onto a site, network access to SKLM server is required.
PS: All these thoughts are mine and not necessarily reflect that of my employer.