Broadcom announced it is shipping the first end-to-end Post-Quantum Cryptography (PQC)-safe, in-flight network encryption solution. Over the past year, more than 120,000 Emulex SecureHBAs have shipped on OEM server platforms. Everpure has become the first storage platform to embed Emulex SecureHBAs in its FlashArray product family, completing the end-to-end solution.
The Emulex SecureHBA encrypts all in-flight data across Fibre Channel networks using PQC-safe encryption. It protects data transfers from application servers to storage against harvest now, decrypt later (HNDL) attacks. The solution supports the transition of enterprise AI from proof of concept to production, where PQC-safe network encryption serves as an essential security measure.
Jeff Hoogenboom, vice president and general manager of the Emulex Connectivity Division at Broadcom, stated that as enterprise customers view HNDL attacks as an increasing threat, extending Encrypt Everything policies from data-at-rest to PQC-safe in-flight network encryption secures mission-critical data.
Shawn Hansen, vice president and general manager of the Core Platform Business Unit at Everpure, noted that embedding Broadcom’s Emulex SecureHBA into the Everpure Platform provides the first end-to-end solution for automatic, in-flight encryption using Post-Quantum Cryptography. The standards-based approach secures data between servers and arrays without impacting performance or storage services such as compression and deduplication.
Broadcom also announced Emulex SAN Manager 3.0, a Podman-based software solution that adds security compliance reporting. It allows administrators to identify and manage encrypted ports across the Fibre Channel environment, simplifying reporting, compliance, and data classification for CNSA 2.0 and NIS2/DORA requirements.
The Emulex SecureHBA is described as the first CNSA 2.0 and NIS2/DORA-compliant network adapter.
Solution features include:
Easy-to-use session-based, touchless, autonomous end-to-end network encryption with no external key managers, no long-lived keys, and transparency to all OSs, fabrics, and applications.
Quantum-safe hardware-based PQC-safe encryption using LMS Silicon Root of Trust, AES-GCM-256 in-flight encryption algorithms, and keys negotiated using ML-DSA-87 and ML-KEM-1024. It supports SPDM 1.4 with ML-DSA-87 and ML-KEM-1024.
High performance with fully offloaded encryption that has no impact on server or storage array CPU utilization, unlike Ethernet/TCP IPsec encryption.
Scalability supporting thousands of automatically encrypted connections with independent keying per connection and fast fail-over recovery.
Lowest cost by preserving storage array services including deduplication, compression, and ransomware detection and recovery, unlike application-based encryption.
Standards-based autonomous in-flight encryption per INCITS FC-SP-3 to avoid proprietary vendor lock-in.
VMware vSAN Storage Clusters and Microsoft Azure Local have announced plans to support native Fibre Channel with SecureHBA benefits.
Brian Beeler, president of StorageReview.com, reported that testing of the Everpure FlashArray//XL130 R5 with Emulex SecureHBAs showed no measurable performance penalty or CPU overhead on host or array when enabling end-to-end encryption. Encryption negotiated automatically during the standard Fibre Channel login process required no switch changes, external key managers, or fabric reconfiguration.
