Print Email PDF

Qumulo Core's Encryption at Rest

IN THIS ARTICLE 

Provides an overview of Qumulo Core's software-based encryption at rest

REQUIREMENTS

  • On-prem cluster running Qumulo Core 3.1.5 and above
  • Command line (CLI) tools installed via API & Tools in the Web UI

IMPORTANT! Qumulo will not have access to your encryption keys (or be able to retrieve them) and cannot be held responsible in the event that a boot drive with the node's master key is lost or mishandled. If a boot drive fails and requires replacement, do not send the failed boot drive to Qumulo. Use the details and recommendations below to ensure the master keys across your cluster are secure at all times.

DETAILS

Qumulo Core's software-based encryption provides complete encryption of file data by securing data at rest for all on-prem clusters created with Qumulo Core 3.1.5 and above. Keys are used to encrypt data, as well as encrypting data keys themselves. A master key is utilized and stored on every boot drive in the cluster in a file that only root can access for an extra layer of security in order to encrypt a data key that decrypts the data itself. That way your data is protected from potential threats like stolen disks or malicious actors in the supply chain obtaining decommissioned disks.

Encryption at rest will be available by default on new clusters created with Qumulo Core 3.1.5 and above, while existing customers will have to build a new cluster to get this feature. Simply upgrading will not enable this feature. Once you complete the steps to create a new cluster, encryption at rest will automatically be configured and the key will be distributed to all nodes. Cluster actions can be performed as normal once the cluster is formed and data is encrypted. Nodes can be shut down and restarted and node-adds/upgrades can be completed with no change.

Qumulo already offers encryption of data in transit to SMB clients using SMB v3.1 and in our replication protocol. With the addition of encryption at rest, you’ll be able to further strengthen your security profile by getting complete encryption of both in transit and at rest data on your cluster. 

Manage Encryption at Rest

File data encryption will happen at the entire cluster level using a master key and the data keys. If a boot drive fails and needs a replacement, the boot drive containing the master key for the cluster should not be sent to Qumulo. Instead, the master key should be rotated using the command below to remove the encrypted data keys that are associated with any master key on the old drive. Once the rotation is complete, you can securely dispose of the boot drive. While not required, we recommend rotating the master key anytime you replace a drive on the cluster to ensure that the data keys will eventually be aged out and avoid potential decryption when returning to Qumulo.

To rotate the master key, run the following qq command. The command will return “Key rotation complete” upon finalization.

qq rotate_encryption_keys

To check your encryption status and last key rotation, run the following qq command:

qq encryption_get_status

NOTE: You can verify your cluster encryption status on the Cluster Overview page via the Dashboard in the Web UI as well. Encrypted clusters will show an "Encrypted" status while unencrypted clusters will display "Data Protected."

Considerations

  • Everything in the Qumulo file system, data + metadata, is encrypted. Host filesystem data on the node (Syslogs/Core Files/etc) will not be encrypted.
  • Qumulo cloud clusters do not support encryption at rest. Customers with cloud clusters can leverage the cloud-native data at rest solutions offered by AWS and GCP.
  • Single-stream write throughput and latency may see up to a 10-15% degradation while reads may experience up to 5% degradation. 
  • To avoid a major security risk, do not write down and save the keys in a location outside the cluster.
  • Un-encrypting a cluster once it’s encrypted is not supported.
  • Removing and reinserting drives will not affect encryption at rest.
  • Data keys will be encrypted whereas the master key in the boot drive will not be encrypted. Losing the master key could result in data loss. Keep the boot drive with the master key secure at all times.
  • Source and target clusters don't require software encryption for replication. While replication runs, data is always encrypted during transfers.
    • If the target cluster is software-encrypted, Qumulo Core writes it as encrypted after a transfer.
    • If the target cluster is not software-encrypted, Qumulo Core writes it as unencrypted after a transfer.
    To increase security, we recommend encrypting both source and target clusters and setting up replication between them.

RESOLUTION 

You should now have an overall understanding of  Qumulo Core's software-based encryption at rest

ADDITIONAL RESOURCES

Create a Qumulo Cluster with 2.7.10 and above

QQ CLI: Cluster Configuration

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Have more questions?
Open a Case
Share it, if you like it.