This section explains how encryption at rest works in Qumulo Core, how to rotate master keys, how to configure a Key Management Server (KMS), and how to ensure that the master keys across your cluster are secured correctly by using the qq
CLI.
- Upgrading a Qumulo cluster from a version of Qumulo Core lower than 3.1.5 doesn't enable encryption automatically. You must rebuild your cluster to take advantage of this feature. When you create a new cluster, Qumulo Core enables encryption automatically and distributes the master key to all nodes in the cluster.
- In case of replication processes, Qumulo Core maintains the encryption type after data transfers. Although source and target clusters don't require encryption for replication, we strongly recommend encrypting both source and target clusters.
How Encryption at Rest and Master Keys Work in Qumulo Core
In Qumulo Core 3.1.5 (and higher), in addition to encrypting data in transit (for example, to clients that use SMBv3.1), software-based encryption also secures data at rest for on-premises clusters. Qumulo Core encrypts all data and metadata in the file system. Removing or reinserting drives and replication doesn’t affect encryption at rest. For more information, see Encryption Limitations.
Qumulo Core uses a master key to protect the data key that encrypts the data on the cluster. The master key is stored either locally—on the boot drive of every node, in a file that only the root
user can access—or on an external Key Management Server (KMS)—from where the system retrieves the master key upon startup. Both approaches help protect your data from potential threats such as a malicious actor’s access to stolen or decommissioned disks.
Retrieving Information about a Qumulo Cluster’s Encryption Configuration
This section explains how to retrieve the status or detailed information about an active encryption configuration for a Qumulo cluster and gives examples for a system that uses a locally stored master key and a system that uses a Key Management Server (KMS).
The
qq encryption_get_key_store
and qq encryption_get_status
commands require the PRIVILEGE_ENCRYPTION_READ
privilege.To View the Status of an Active Encryption Configuration
Run the qq encryption_get_status
command.
The following is example output. The master key is stored locally.
{
"last_key_rotation_time": "2022-11-20T12:15:25.683207795Z",
"status": "Encrypted",
"type": "Local"
}
The following is example output. The master key is stored in a KMS.
{
"ca_cert_expiry": "2027-04-18T19:55:17Z",
"client_cert_expiry": "2027-04-18T19:55:17Z",
"last_key_rotation_time": "2023-09-05T20:15:40.06864014Z",
"last_status_update_time": "2023-09-05T20:28:58.108120131Z",
"status": "KMS Available",
"type": "KMS"
}
To View Detailed Information for an Active Encryption Configuration
Run the qq encryption_get_key_store
command.
The following is example output. The master key is stored locally.
{
"config_details": {
"status": "Encrypted"
},
"config_type": "Local"
}
The following is example output. The master key is stored in a KMS.
{
"config_details": {
"config_creation_time": "2024-02-28T20:01:25.683207795Z",
"hostname": "kms.example.com",
"key_id": "abcd-1234-efgh-5678",
"port": 5696
},
"config_type": "KMS"
}
Configuring Qumulo Core to Use a Master Key Stored Locally or in a Key Management Server (KMS)
This section explains how to configure Qumulo Core to use a master key stored locally or in a Key Management Server (KMS) by using the qq
CLI.
- The
qq
CLI commandqq encryption_set_key_store
requires thePRIVILEGE_ENCRYPTION_WRITE
privilege. - To be able to configure an external KMS, the KMS must support Key Management Interoperability Protocol (KMIP) 1.0.
To Configure Qumulo Core to Use a Master Key Stored Locally
- While the master key on your boot drive encrypts your data keys, the master key itself isn't encrypted.
- The boot drive contains the disk image, the installed build of Qumulo Core, and configuration files. In the unlikely event that your boot drive fails and requires replacement, remove the encrypted data keys associated with the master key from the boot drive by rotating the master key. When you complete the key rotation process, you can dispose of the failed boot drive securely.
- To avoid potential decryption, ensure that your data keys eventually age out by rotating the master key any time you replace a drive in your cluster.
-
To configure the system to use a local key store, run the
qq encryption_set_key_store
with thelocal
subcommand. -
To confirm that the system is configured correctly,
qq encryption_get_status
.In the output, ensure that the
type
field is set toLocal
.
To Configure Qumulo Core to Use a Master Key Stored in a Key Management Server (KMS)
- If the master key is deleted from the KMS, and all nodes in the cluster are rebooted, all data on the cluster becomes permanently unrecoverable.
- If you allow the certificates to expire, or the master key is deleted accidentally, you must create a new, valid configuration as soon as possible. To warn you of this scenario, the Qumulo Core Web UI indicates if any of your certificates are about to expire, or if the configured master key becomes unavailable.
-
To configure the system to use a KMS, use
qq encryption_set_key_store kms
command and specify the path to the client certificate, private key, the server CA certificate, the key ID, and the KMS server hostname. For example:qq encryption_set_key_store kms \ --client-cert path/to/client_cert.pem \ --client-private-key path/to/client_pk.pem \ --server-ca-cert /path/to/server_cert.pem \ --key-id abcd-1234-efgh-5678 \ --host-name kms.example.com
-
To confirm that the system is configured correctly, run the
qq encryption_get_key_store
command.In the output, ensure that the
type
field is set toKMS
.
Rotating the Master Key
This section explains how to rotate the master key and check the encryption status for your cluster by using the qq
CLI and how to check the encryption status by using the Qumulo Core Web UI.
Qumulo Care team members can help you rotate your master keys. However, they don’t have access to your encryption keys and can’t retrieve them for you.
To Rotate Master Keys Stored Locally
-
Run the
qq rotate_encryption_keys
command.When the process is complete, the command shows the
Key rotation complete
message. -
To view your cluster’s encryption status and the last key rotation time, run
qq encryption_get_status
.
To Rotate Master Keys Stored in a Key Management Server (KMS)
-
Run the
qq rotate_encryption_keys
command and specify the key ID. For example:qq rotate_encryption_keys --key-id abcd-1234-efgh-5678
Tip
The key ID might be different from the key name. -
To ensure that the system is using the new key, run
qq encryption_get_key_store
.In the output, ensure that the
key_id
field lists the new key ID.
To Check the Encryption Status of a Qumulo Cluster by Using the Qumulo Core Web UI
-
Log in to the Qumulo Core Web UI.
-
On the Dashboard page, in the Cluster Overview section, click More details.
-
If encryption is enabled for your cluster, the Cluster page shows the message Data Encrypted.
Encryption Limitations
-
Qumulo Core doesn’t encrypt host file system data on the node (such as system logs, core files, and so on).
-
Qumulo Core doesn’t support removing encryption from encrypted clusters.