Creating a Symmetric key
In the Key Store section, the Symmetric Keys tab allows you to encrypt internal files with a symmetric key.
Encryption is managed at Storage Class level. Files are encrypted with a symmetric key specified in the Key Store for the Cluster associated with the Storage Class. A Storage Class for each Cluster must be configured.
The key will be associated only with the Storage Class of the selected cluster – this is the reason why a Storage Class for each Cluster must be set. When configuring the key, you will specify the cluster associated with the Storage Class. The symmetric key will be created or imported in the Key Store.
Symmetric encryption with AES format is supported. The algorithm is a 16-byte keys and keys are managed with the Secure Store in the Key Store section.
Encrypted filenames have an EAR (Encryption at rest) prefix and a hash.
The file keeps its original dimension when encrypted.
For security reasons, each Customer is responsible for its own keys, which will have to be created for each Cluster.
To create a Symmetric Key, follow these steps:
- Click Setup → Key Store → Symmetric Keys tab.
- In the SELECT CLUSTER drop-down list select a cluster.
- Click the New button – or the Import button to upload an already existing key.
-
In the New Symmetric Key window, enter the KEY NAME, select the KEY SIZE (128, 192, 256: the longer the key, the higher its quality) and the ALGORITHM (right now only AES is supported).
-
Click Confirm to create your key, which will be listed in the Symmetric Keys tab.
For security reasons, it is suggested to create a different key for each cluster.
The created key can now be associated with an empty Storage class. VFS and files must NOT be associated with the Storage Class when associating the key – if they are, the menus will be read-only.
To associate the key with an empty Storage Class, follow these steps:
-
Go to Setup > Storage Classes and edit a Storage Class (or click the New Storage Class button).
-
In the new Clusters and Symmetric Keys drop-down lists, select the Cluster associated with the Storage Class and the symmetric key you have created. Now the Storage Class is associated with the key.
Note that if the menus are read-only, some files are already associated with the Storage Class. Remember that it must be empty to associate a Symmetric Key.
- Click the Save button. From now on, all the files in the Storage Class will be encrypted.
Warnings!
- Once a key is associated with the Storage class, it cannot be edited or removed because the files would become unreadable.
- Once a Storage Class is associated with a VFS, with or without files, the key will no longer be editable. If you delete a key referenced from VFS, it cannot be recovered.
In the Storage Class window, the new Clusters and Symmetric keys menus are read-only if the Storage Class is already associated with a VFS or with files. This is a common scenario with Customers where Storage Classes are already defined.
Updated 9 months ago