@Eric J Nordberg
Apologies for the delayed response. I have checked with our Data Box service team. Please find the answers to your questions below:
- Is the second layer of at-rest encryption applied by the NAS, or does the customer encrypt its data prior to copying onto the NAS?
Double encryption option for Data Box applies a 2nd layer of software-based encryption. The customer selects this during ordering and the device is prepared accordingly. This means customers can’t turn it off when they receive the device. Keep in mind that if double encryption is enabled, Certain phases of the job will take longer to complete (i.e. data copy to azure when the device returns)
- What encryption cypher and strength is used for the second layer of encryption?
- Where are the encryption keys stored?
It is stored on the device. There is a TPM on the device that protects the keys. The device unlock key for the device is needed to access the TPM key to access the encryption keys.
- Is custom managed encryption keys (CMEK) for the second layer of encryption an option?
Both encryption keys will be driven off of the device unlock key.
- How is the second layer encryption key accessed during the copying of data from the NAS to Azure storage?
Data Box service will access the device unlock key either through as a Microsoft managed key or customer-managed key via Key Vault which will help unlock the 2nd layer encryption.
Hope this helps. Let us know if you still have questions or need additional assitance.
Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.