This topic introduces and briefly defines some basic encryption at rest terminology used in QoreStor documentation.
Term | Description |
---|---|
Passphrase |
A passphrase is a sequence of words or other text used to control access to data, similar to a password in usage, but is generally longer for added security. The QoreStor passphrase is user-defined and is used to generate a passphrase key that encrypts the file in which the content encryption keys are kept. The passphrase is a human readable key, which can be up to 255 bytes in length. It is mandatory to define a passphrase to enable encryption. |
Content encryption key |
The key used to encrypt the data. The content encryption key is managed by the key manager, which operates in either a static mode or an internal mode. The system supports up to a limit of 1023 different content encryption keys. |
Key management mode |
The mode of key lifecycle management as either static or internal. |
Static mode |
A global mode of key management in which a fixed key is used to encrypt all data. |
Internal mode |
A mode of key lifecycle management in which the keys are periodically generated and rotated. The minimum key rotation period before the content encryption key can be rotated and a new key is generated is 7 days. This rotation period is user-configurable and can be specified in days. |
This topic describes key features and considerations of using Encryption at Rest in QoreStor.
The overall steps for how Encryption at Rest is enabled and used in QoreStor are described below.
Encryption is disabled by default on QoreStor. An administrator can enable encryption by using the GUI or CLI.
Encryption is set at the storage group level.
When defining encryption for a storage group, a passphrase is set. This passphrase is used to encrypt the content encryption keys, which adds a second layer of security to the key management. At this time, the mode is also set. The default key management mode is “internal” mode, in which key rotation happens periodically as specified by the set key rotation period.
After encryption is enabled, the data in the storage group that gets backed up is encrypted and is kept encrypted until it is expired and cleaned by the system cleaner. Note that the encryption process is irreversible.
Any pre-existing data will also be encrypted using the currently set mode of key management. This encryption occurs as part of the system cleaner process. Encryption is scheduled as the last action item in the cleaner workflow. You must launch the cleaner manually using the maintenance command to reclaim space. It then encrypts all pre-existing unencrypted data. The cleaner can also be scheduled as per the existing pre-defined cleaner schedule.
|
NOTE: The cleaner can take some time to start the encryption process if the system is nearing full system capacity. Encryption starts only after the cleaner processes data slated for cleaning and the related logs. This ensures that space reclamation is prioritized when free space is low and also ensures that data stores are not redundantly encrypted. |
Refer to theQoreStor Command Line Interface Reference Guide for information about the CLI commands used for encryption.
Using the QoreStor CLI, you can configure email notifications that are sent when a QoreStor Alert occurs. The email alert service is disabled by default, and must be properly configured before the service can be enabled.
To begin using email alerts, peform the actions below :
|
NOTE: Refer to the QoreStor Command Line Reference Guide for more information on using the CLI. |
© ALL RIGHTS RESERVED. Termini di utilizzo Privacy Cookie Preference Center