IN THIS ARTICLE
Provides an overview of Qumulo Core's software-based encryption at rest
- On-prem cluster running Qumulo Core 3.1.5 and above
- Command line (CLI) tools installed via API & Tools in the Web UI
IMPORTANT! Qumulo will not have access to your encryption keys (or be able to retrieve them) and cannot be held responsible in the event that a boot drive with the node's master key is lost or mishandled. If a boot drive fails and requires replacement, do not send the failed boot drive to Qumulo. Use the details and recommendations below to ensure the master keys across your cluster are secure at all times.
Qumulo Core's software-based encryption provides complete encryption of file data by securing data at rest for all on-prem clusters created with Qumulo Core 3.1.5 and above. Keys are used to encrypt data, as well as encrypting data keys themselves. A master key is utilized and stored on every boot drive in the cluster in a file that only root can access for an extra layer of security in order to encrypt a data key that decrypts the data itself. That way your data is protected from potential threats like stolen disks or malicious actors in the supply chain obtaining decommissioned disks.
Encryption at rest will be available by default on new clusters created with Qumulo Core 3.1.5 and above, while existing customers will have to build a new cluster to get this feature. Simply upgrading will not enable this feature. Once you complete the steps to create a new cluster, encryption at rest will automatically be configured and the key will be distributed to all nodes. Cluster actions can be performed as normal once the cluster is formed and data is encrypted. Nodes can be shut down and restarted and node-adds/upgrades can be completed with no change.
Qumulo already offers encryption of data in transit to SMB clients using SMB v3.1 and in our replication protocol. With the addition of encryption at rest, you’ll be able to further strengthen your security profile by getting complete encryption of both in transit and at rest data on your cluster.
Manage Encryption at Rest
File data encryption will happen at the entire cluster level using a master key and the data keys. If a boot drive fails and needs a replacement, the boot drive containing the master key for the cluster should not be sent to Qumulo. Instead, the master key should be rotated using the command below to remove the encrypted data keys that are associated with any master key on the old drive. Once the rotation is complete, you can securely dispose of the boot drive. While not required, we recommend rotating the master key anytime you replace a drive on the cluster to ensure that the data keys will eventually be aged out and avoid potential decryption when returning to Qumulo.
To rotate the master key, run the following qq command. The command will return “Key rotation complete” upon finalization.
To check your encryption status and last key rotation, run the following qq command:
NOTE: You can verify your cluster encryption status on the Cluster Overview page via the Dashboard in the Web UI as well. Encrypted clusters will show an "Encrypted" status while unencrypted clusters will display "Data Protected."
- Everything in the Qumulo file system, data + metadata, is encrypted. Host filesystem data on the node (Syslogs/Core Files/etc) will not be encrypted.
- Qumulo cloud clusters do not support encryption at rest. Customers with cloud clusters can leverage the cloud-native data at rest solutions offered by AWS and GCP.
- Single-stream write throughput and latency may see up to a 10-15% degradation while reads may experience up to 5% degradation.
- To avoid a major security risk, do not write down and save the keys in a location outside the cluster.
- Un-encrypting a cluster once it’s encrypted is not supported.
- Removing and reinserting drives will not affect encryption at rest.
- Data keys will be encrypted whereas the master key in the boot drive will not be encrypted. Losing the master key could result in data loss. Keep the boot drive with the master key secure at all times.
- Source and target clusters do not require software encryption for replication. If a cluster is software encrypted, it will be written as encrypted during a transfer. And if a cluster is not software encrypted, it will be written as unencrypted during a transfer. We recommend to encrypting both clusters and setting up replication across them to meet security requirements.
You should now have an overall understanding of Qumulo Core's software-based encryption at rest
Like what you see? Share this article with your network!