This section explains how encryption at rest works in Qumulo Core, how to rotate master keys, how to configure a Key Management Server (KMS), and how to ensure that the master keys across your cluster are secured correctly by using the qq CLI.

How Encryption at Rest and Master Keys Work in Qumulo Core

In Qumulo Core 3.1.5 (and higher), in addition to encrypting data in transit (for example, to clients that use SMBv3.1), software-based encryption also secures data at rest for on-premises clusters. Qumulo Core encrypts all data and metadata in the file system. Removing or reinserting drives and replication doesn’t affect encryption at rest. For more information, see Encryption Limitations.

Qumulo Core uses a master key to protect the data key that encrypts the data on the cluster. The master key is stored either locally—on the boot drive of every node, in a file that only the root user can access—or on an external Key Management Server (KMS)—from where the system retrieves the master key upon startup. Both approaches help protect your data from potential threats such as a malicious actor’s access to stolen or decommissioned disks.

Retrieving Information about a Qumulo Cluster’s Encryption Configuration

This section explains how to retrieve the status or detailed information about an active encryption configuration for a Qumulo cluster and gives examples for a system that uses a locally stored master key and a system that uses a Key Management Server (KMS).

To View the Status of an Active Encryption Configuration

Run the qq encryption_get_status command.

The following is example output. The master key is stored locally.

{
  "last_key_rotation_time": "2022-11-20T12:15:25.683207795Z",
  "status": "Encrypted",
  "type": "Local"
}

The following is example output. The master key is stored in a KMS.

{
  "ca_cert_expiry": "2027-04-18T19:55:17Z",
  "client_cert_expiry": "2027-04-18T19:55:17Z",
  "last_key_rotation_time": "2023-09-05T20:15:40.06864014Z",
  "last_status_update_time": "2023-09-05T20:28:58.108120131Z",
  "status": "KMS Available",
  "type": "KMS"
}

To View Detailed Information for an Active Encryption Configuration

Run the qq encryption_get_key_store command.

The following is example output. The master key is stored locally.

{
  "config_details": {
    "status": "Encrypted"
  },
  "config_type": "Local"
}

The following is example output. The master key is stored in a KMS.

{
  "config_details": {
    "config_creation_time": "2024-02-28T20:01:25.683207795Z",
    "hostname": "kms.example.com",
      "key_id": "abcd-1234-efgh-5678",
      "port": 5696
    },
  "config_type": "KMS"
}

Configuring Qumulo Core to Use a Master Key Stored Locally or in a Key Management Server (KMS)

This section explains how to configure Qumulo Core to use a master key stored locally or in a Key Management Server (KMS) by using the qq CLI.

To Configure Qumulo Core to Use a Master Key Stored Locally

  1. To configure the system to use a local key store, run the qq encryption_set_key_store with the local subcommand.

  2. To confirm that the system is configured correctly, qq encryption_get_status .

    In the output, ensure that the type field is set to Local.

To Configure Qumulo Core to Use a Master Key Stored in a Key Management Server (KMS)

  1. To configure the system to use a KMS, use qq encryption_set_key_store kms command and specify the path to the client certificate, private key, the server CA certificate, the key ID, and the KMS server hostname. For example:

    qq encryption_set_key_store kms \
      --client-cert path/to/client_cert.pem \
      --client-private-key path/to/client_pk.pem \
      --server-ca-cert /path/to/server_cert.pem \
      --key-id abcd-1234-efgh-5678 \
      --host-name kms.example.com
    
  2. To confirm that the system is configured correctly, run the qq encryption_get_key_store command.

    In the output, ensure that the type field is set to KMS.

Rotating the Master Key

This section explains how to rotate the master key and check the encryption status for your cluster by using the qq CLI and how to check the encryption status by using the Qumulo Core Web UI.

To Rotate Master Keys Stored Locally

  1. Run the qq rotate_encryption_keys command.

    When the process is complete, the command shows the Key rotation complete message.

  2. To view your cluster’s encryption status and the last key rotation time, run qq encryption_get_status .

To Rotate Master Keys Stored in a Key Management Server (KMS)

  1. Run the qq rotate_encryption_keys command and specify the key ID. For example:

    qq rotate_encryption_keys --key-id abcd-1234-efgh-5678
    
  2. To ensure that the system is using the new key, run qq encryption_get_key_store .

    In the output, ensure that the key_id field lists the new key ID.

To Check the Encryption Status of a Qumulo Cluster by Using the Qumulo Core Web UI

  1. Log in to the Qumulo Core Web UI.

  2. On the Dashboard page, in the Cluster Overview section, click More details.

  3. If encryption is enabled for your cluster, the Cluster page shows the message Data Encrypted.

Encryption Limitations

  • Qumulo Core doesn’t encrypt host file system data on the node (such as system logs, core files, and so on).

  • Qumulo Core doesn’t support removing encryption from encrypted clusters.

  • On encrypted systems, single-stream throughput and latency might experience up to 5-10% degradation for writes and up to 5% for reads.