Encryption Key Best Practices

  • Updated on Apr 14, 2025
  • Published on Dec 16, 2024
  • 17 minute(s) read
  • CD
 Prev Next

Summary of Best Practices Recommendations

The best practices for managing encryption keys for the Nasuni Edge Appliance include the following:

  • If your enterprise has existing OpenPGP-compatible encryption keys that you want to use to encrypt your data, do the following:

    • Upload your encryption keys to the Nasuni Edge Appliance. All uploaded encryption keys must be at least 2048 bits long.
      You can generate your own encryption keys using any OpenPGP-compatible program, such as Gpg4win, GPGTools, and OpenPGP Studio. (For security reasons, encryption keys that you upload cannot be downloaded from the system.) For details, see Generating Encryption Keys.

    • Safeguard your encryption keys with at least one, if not all, of the following options:

      • Safeguard your original encryption key files with your own encryption key management system.
        Many tools for generating encryption keys also include functions for managing the encryption keys, such as Gpg4win, GPGTools, and OpenPGP Studio.
        Warning: Do NOT save encryption key files to a volume on a Nasuni Edge Appliance. You will NOT be able to use this to recover data. This is NOT how to upload encryption keys to a Nasuni Edge Appliance. To upload encryption keys to a Nasuni Edge Appliance, select Configuration  Encryption Keys.

      • Escrow your uploaded encryption keys with Nasuni. You must create an escrow passphrase in order to do this. Your escrow passphrase enables you to perform a recovery procedure.

      • Safeguard your original encryption key files with a trusted third-party escrow service.

  • If you use the encryption keys that the Nasuni Edge Appliance generates, do the following:

    • Generate encryption keys during volume creation. You must create an escrow passphrase in order to do this. Your escrow passphrase enables you to perform a recovery procedure.
      Important: The time to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.

    • Download the generated encryption keys from the Nasuni Edge Appliance.

    • Safeguard your encryption keys with at least one, if not both, of the following options:

      • Safeguard your original encryption key files with your own encryption key management system. Many tools for generating encryption keys also include functions for managing encryption keys, such as Gpg4win, GPGTools, and OpenPGP Studio.
        Warning: Do NOT save encryption key files on a volume on a Nasuni Edge Appliance. You will NOT be able to use this to recover data.

      • Safeguard your original encryption key files with a trusted third-party escrow service.

    • Be aware that all generated encryption keys are automatically escrowed with Nasuni.

  • Download and safeguard encryption keys whenever you create a new volume on the Nasuni Edge Appliance for which you have used the Nasuni Edge Appliance to generate a new encryption key.

  • If you share volumes across multiple Nasuni Edge Appliances using the Remote Access feature, use the "custom" setting to explicitly grant access to only specific Edge Appliances. Do not simply select "Read/Write" or "Read Only" to apply to all Edge Appliances.

Introduction

The Nasuni Edge Appliance automatically encrypts your data using the OpenPGP encryption protocol at your premises before transmitting data to cloud storage. Your data remains encrypted in cloud storage. You control the encryption keys to encrypt and decrypt your data.

At least one encryption key must be enabled for a volume, but several encryption keys can be enabled at the same time. When multiple encryption keys are enabled, all of the encryption keys enabled at the time are used to encrypt the data. Any of the encryption keys enabled at the time a piece of data is encrypted can be used to later decrypt the data. Only the encryption keys enabled when the data was written can decrypt that data. An encryption key that was enabled after the data was written cannot decrypt any data that was written before that key was enabled.

While this security feature ensures that only you can access your data, you must manage your encryption keys properly. For example, if you ever need to perform a disaster recovery procedure on your Nasuni Edge Appliance, you MUST have all of the encryption keys for ALL volumes owned by that Nasuni Edge Appliance in order to successfully regain access to your data.

The Nasuni Edge Appliance offers a number of features that help you to manage your encryption keys. However, you must be proactive about safeguarding your encryption keys, because not all of these features are automatic.

Important: If you introduce an encryption key on Edge Appliance X and add it to “owned” volume 1, and then connect Edge Appliance Y to that same volume 1 as a remote volume, Edge Appliance X automatically shares the encryption key with Edge Appliance Y. It is unnecessary to separately introduce the encryption key to Edge Appliance Y (or any other Edge Appliance that connects to that same volume 1 remotely). Details of the encryption key exchange process are in Key Exchange on Multi-Site Volumes.

Generating Your Own Encryption Keys

Nasuni recommends creating and uploading your own encryption keys. You can generate your own encryption keys using any OpenPGP-compatible program, such as Gpg4win, GPGTools, and OpenPGP Studio. You can then add (import or upload) the encryption key to the Nasuni Edge Appliance. All uploaded encryption keys must be at least 2048 bits long. (For security reasons, encryption keys that you upload cannot be downloaded from the system.) For details, see Generating Encryption Keys.

You can specify that you do not want Nasuni to generate any of your encryption keys. This ensures that your data is encrypted only with encryption keys that you upload. If you specify this, you must upload all the encryption keys used. Specifically, when creating a volume, you cannot select Create New Key as the source of the volume encryption key. If you want to specify that Nasuni not generate encryption keys, request Nasuni Support to disable key generation in your license.

Similarly, you can specify that you do not want Nasuni to escrow encryption keys. If you specify this, you must manage your own encryption keys, because Nasuni does not manage them. If you specify this, you can still have Nasuni generate encryption keys, and those generated encryption keys are still automatically escrowed, because all generated encryption keys are automatically escrowed. If you want to specify to not escrow encryption keys, contact Nasuni Support.

To ensure that none of your encrypted keys are escrowed with Nasuni, you must specify both that Nasuni not generate encryption keys and that Nasuni not escrow encryption keys.

Escrow Passphrase

To perform a recovery procedure on your Nasuni Edge Appliance, you MUST have all the encryption keys for ALL volumes owned by that Nasuni Edge Appliance in order to successfully regain access to your data. This means that, if Nasuni is escrowing any of your encryption keys, one of the following must occur:

  • You must have created an escrow passphrase.

  • You must have all of your encryption keys available, including the encryption keys escrowed with Nasuni.

  • You must contact Nasuni and verify your identity so that Nasuni can issue a special one-time-use recovery key.

The escrow passphrase must contain only ASCII printable characters (no Unicode) and cannot exceed 511 characters.

To create an escrow passphrase on the Nasuni Edge Appliance:

  1. From the Configuration menu, select Encryption Keys. The Encryption Keys page appears.

  2. Click Set Escrow Passphrase. Enter an escrow passphrase.

    Note: An escrow passphrase can be updated anytime the Edge Appliance is online. Passphrase changes become effective immediately.

To create an escrow passphrase for Nasuni Edge Appliances on the NMC:

  1. From the Filers menu, select Escrow Passphrase. The Filer Escrow Passphrase page appears.

  2. Select the Edge Appliances, then click Edit Filers. Enter an escrow passphrase.

To create an escrow passphrase for the NMC on the NMC:

  1. From the Console Settings menu, select Encryption Keys. The Encryption Keys page appears.

  2. Select the Edge Appliances, then click Set NMC Escrow Passphrase. Enter an escrow passphrase.

You can also create an escrow passphrase for Nasuni Edge Appliances using the NMC API.

Considerations for escrow passphrase management

Consider the following points about managing escrow passphrases:

  • Ideally, you should plan escrow passphrase management before upgrading to version 9.3 makes it necessary.

  • The Nasuni Administrator is asked (and reminded) to set an escrow passphrase for each Nasuni Edge Appliance. Each new Nasuni Edge Appliance also requires an escrow passphrase.

  • Your IT team should consider in advance what the escrow passphrases should be, and where to store the escrow passphrases safely until needed. You can make the escrow passphrases the same or different. You can change the escrow passphrases whenever you choose.

  • Your IT team should establish a standard operating procedure for handling the escrow passphrases. You should decide who should have access to the escrow passphrases and who has permission to set or change the escrow passphrases.
    When you upgrade to version 9.3, the following users have the permission to set escrow passphrases:

    • Superusers.

    • Users with the “Add and delete volumes” permission or the “Manage all aspects of volumes” permission.

Three Options for Safeguarding Encryption Keys

You have three options for safeguarding your encryption keys, each with advantages and disadvantages:

  • Safeguard your encryption keys yourself: You can keep your encryption keys in a secure location. One advantage of this option is that your encryption keys are directly under your control. One disadvantage is that you must develop and maintain your own system of encryption key management.
    Many tools for generating encryption keys also include functions for managing the encryption keys, such as Gpg4win, GPGTools, and OpenPGP Studio.

    Warning: Do NOT save encryption key files on a volume on a Nasuni Edge Appliance. You will NOT be able to use this to recover data.

  • Escrow encryption keys with Nasuni: You can escrow your encryption keys with Nasuni. Your encryption key is protected on Nasuni servers using the same security practices that we use for our own encryption keys, including access limited to necessary personnel.
    Escrowing an encryption key with Nasuni means that you can perform a recovery procedure (which requires all of your encryption keys for all volumes owned by the Edge Appliance) by either:

    • Providing your escrow passphrase during the recovery procedure.

    • Contacting Nasuni to obtain a one-time-use recovery key. You must have the correct name, company, address, phone number, and email address for your Nasuni.com account before Nasuni can provide a one-time-use recovery key.

One advantage of this option is that it is simple to perform and can offer greater recovery assurance if your internal encryption key management process is less mature or has not been assessed for completeness. One disadvantage is that your encryption keys are not directly under your sole control.

Keys generated on an Edge Appliance are always escrowed by Nasuni. If you want to prevent this automatic escrow, you can request that key generation be disabled on your Edge Appliances.

Caution: Any time a third party has access to your encryption keys, they could be less secure.

  • Escrow your encryption keys with a trusted third-party service: You can entrust your encryption keys to a trusted third-party escrow service. One advantage of this option is that you do not have to develop and maintain your own system of encryption key management. One disadvantage is that you must depend on the third-party service when you want to access your encryption keys.

Caution: Any time a third party has access to your encryption keys, they could be less secure.

You should consider all three options and decide which option makes the most sense for your enterprise, for both security and convenience. Utilizing multiple options can increase the assurance levels for recovering encryption keys, but will also decrease the assurance of the confidentiality of encryption keys. These factors must be uniquely balanced based on your organization’s risk management profile.

Two Sources of Encryption Keys

There are two sources for the encryption keys that the Nasuni Edge Appliance uses:

  • Uploaded encryption keys: If your enterprise has existing OpenPGP-compatible encryption keys that you want to use to encrypt your data, you can upload them to the Nasuni Edge Appliance. You can generate OpenPGP-compatible encryption keys using tools such as Gpg4win, GPGTools, and OpenPGP Studio. For details, see Generating Encryption Keys.
    You have three options for safeguarding uploaded encryption keys:

    • Escrow uploaded encryption keys with Nasuni. You must create an escrow passphrase in order to do this. Your escrow passphrase enables you to perform a recovery procedure.

    • Safeguard your encryption key files yourself.

    • Escrow your encryption key files with a trusted third party.

All uploaded encryption keys must be at least 2048 bits long.

Warning: You cannot later download encryption keys from the Nasuni Edge Appliance that have previously been uploaded, so it is essential that you safeguard the original encryption key files.

  • Generated encryption keys: When you create a volume, you have the option of having the Nasuni Edge Appliance create (generate) a new encryption key for that volume. You must create an escrow passphrase in order to do this. Your escrow passphrase enables you to perform a recovery procedure.

    Important: The time to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.

Generated encryption keys are automatically escrowed with Nasuni. You have two additional options for safeguarding generated encryption keys:

    • Download generated encryption keys and safeguard the encryption key files yourself.

    • Download generated encryption keys and escrow the encryption key files with a trusted third party.

Warning: After performing a disaster recovery procedure on a Nasuni Edge Appliance, you can no longer download generated encryption keys. For this reason, you should download generated encryption keys and safeguard them before it is necessary to perform a disaster recovery.

Note: Any encryption key escrowed with Nasuni remains escrowed, regardless of whether the encryption key was uploaded as part of a disaster recovery process.

Nasuni Edge Appliance Features for Managing Encryption Keys

The Nasuni Edge Appliance offers several features for managing encryption keys, using the Nasuni Edge Appliance itself, or using the Nasuni Management Console if the Nasuni Edge Appliance is under the control of the Nasuni Management Console.

Automatic escrow of generated encryption keys

When you create a volume, you have the option of having the Nasuni Edge Appliance create (generate) a new encryption key for that volume. Generated encryption keys are automatically escrowed with Nasuni. You must create an escrow passphrase in order to do this. Your escrow passphrase enables you to perform a recovery procedure.

Important: The time to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.

Uploading your existing encryption keys

If your enterprise has existing OpenPGP-compatible encryption keys that you want to use to encrypt your data, you can upload them to the Nasuni Edge Appliance. All uploaded encryption keys must be at least 2048 bits long. (For security reasons, encryption keys that you upload cannot be downloaded from the system.)

Tip: You can also upload encryption keys using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.

On the Nasuni Edge Appliance, to upload an encryption key:

  1. From the Configuration menu, select Encryption Keys. The Encryption Keys page appears.

  2. Click Upload Encryption Key(s). The Import OpenPGP Key(s) page appears.

  3. Click Choose File, then navigate to the encryption key file. This file should be OpenPGP-compatible.
    Caution: The maximum length of a file name is 255 bytes. In addition, the length of a path, including the file name, must be less than 4,000 bytes. Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary. If a particular client has other limits, the smaller of the two limits applies.

  4. Click Import Key. The encryption key is imported to the Nasuni Edge Appliance.

The uploaded encryption key is now available to assign to a volume.

On the Nasuni Management Console, to upload an encryption key:

  1. Click Filers, then select Encryption Keys. The Filer Encryption Keys page appears.

  2. Click Upload Encryption Keys. The Import Key(s) dialog box appears.

  3. Select the managed Nasuni Edge Appliances to which you want to upload the encryption key.

  4. Click Choose File, then navigate to the encryption key file. This file should be OpenPGP-compatible.
    Caution: The maximum length of a file name is 255 bytes. In addition, the length of a path, including the file name, must be less than 4,000 bytes. Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary. If a particular client has other limits, the smaller of the two limits applies.

  5. Click Import Key. The encryption key is imported to the Nasuni Edge Appliance.

The uploaded encryption key is now available to assign to a volume on the selected managed Nasuni Edge Appliances. (For security reasons, encryption keys that you upload cannot be downloaded from the system.)

Escrowing uploaded encryption keys with Nasuni

You can escrow your uploaded encryption key with Nasuni.

Tip: You must create an escrow passphrase in order to do this. Your escrow passphrase enables you to perform a recovery procedure.

Note: Generated encryption keys are automatically escrowed with Nasuni.

On the Nasuni Edge Appliance, to escrow an uploaded encryption key with Nasuni:

  1. From the Configuration menu, select Encryption Keys. The Encryption Keys page appears.

  2. For the encryption key that you want to escrow with Nasuni, click “Escrow key with Nasuni”. The “Escrow your encryption key with Nasuni” page appears.

  3. Enter a Username (case-sensitive) and Password (case-sensitive) that has permission to perform this operation.

  4. Click Escrow Key. Your encryption key is escrowed with Nasuni.

The escrowed encryption key is now available from Nasuni whenever you need it.

On the Nasuni Management Console, to escrow an uploaded encryption key with Nasuni:

  1. Click Filers, then select Encryption Keys. The Filer Encryption Keys page appears.

  2. For the encryption key that you want to escrow with Nasuni, click Escrow Key with Nasuni. The Escrow Encryption Key dialog box appears.

  3. Enter a Username (case-sensitive) and Password (case-sensitive) that has permission to perform this operation.

  4. Click Escrow Key. Your encryption key is escrowed with Nasuni.

The escrowed encryption key is now available from Nasuni whenever you need it.

Downloading generated encryption keys (to safeguard or escrow)

You can download generated encryption keys, either to safeguard encryption keys yourself or to escrow encryption keys with a trusted third party.

On the Nasuni Edge Appliance only, to download a generated encryption key:

  1. From the Configuration menu, select Encryption Keys. The Encryption Keys page appears.

  2. Click Download Generated Keys. Depending on your browser, a message box may appear; if so, navigate to an appropriate folder and save this file. The file containing the encryption key is saved with a .pgp extension.

    Caution: The maximum length of a file name is 255 bytes. In addition, the length of a path, including the file name, must be less than 4,000 bytes. Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary. If a particular client has other limits, the smaller of the two limits applies.

The file containing the generated encryption key is now available for you either to safeguard yourself or to escrow with a trusted third party.

Warning: Do NOT save encryption key files on a volume on a Nasuni Edge Appliance. You will NOT be able to use this to recover data.

Encryption Keys and Remote Access

When using the Remote Access feature of a Nasuni Edge Appliance, a given volume is made available for access on multiple Edge Appliances. To make this work, the encryption key for the volume must be replicated to the other Edge Appliances selected to have access. This replication is performed securely by encrypting that volume’s encryption key with a key specific to each Edge Appliance, which Nasuni does not have access to. To ensure that this key is not transmitted to an unintended Edge Appliance, you should explicitly select those Edge Appliances to be given access to the volume, and thus the associated key, rather than automatically allowing any Edge Appliance on the account to be given access.

You do this by selecting “custom” when configuring Remote Access Permissions, not Read Only or Read/Write.

Best Practices

Based on the two sources of encryption keys, and the three options for safeguarding encryption keys, the best practices for managing encryption keys for the Nasuni Edge Appliance are summarized at the beginning of this document.

Conclusion

Safeguarding your encryption keys is a necessary part of securing your data. Make sure that you have either escrowed your encryption keys with Nasuni, downloaded and safeguarded your encryption keys yourself, or escrowed your encryption keys with a trusted third party. Utilizing multiple methods can serve to increase the assurance of recovering encryption keys, but reduces the confidentiality assurance due to multi-party encryption key distribution. Depending on your unique risk profile, you can adjust your approach to best balance these considerations.

Related articles