Overview
Encryption keys are used to encrypt your data in cloud storage. While the Nasuni Edge Appliance user interface can generate and escrow encryption keys, Nasuni recommends that you generate your own encryption keys, and upload your encryption keys to the Nasuni Edge Appliance. That way, you have complete control of your own security. For details of encryption key management, see Encryption Key Best Practices.
You can generate your own encryption keys using any OpenPGP-compatible program, such as GnuPG. The purpose of this guide is to provide Nasuni’s recommendations for generating encryption keys using OpenPGP-compatible programs.
Important: If you introduce an encryption key on Edge Appliance X and add it to “owned” volume 1, and then connect Edge Appliance Y to that same volume 1 as a remote volume, Edge Appliance X automatically shares the encryption key with Edge Appliance Y. It is unnecessary to separately introduce the encryption key to Edge Appliance Y (or any other Edge Appliance that connects to that same volume 1 remotely). Details of the encryption key exchange process are in Key Exchange on Multi-Site Volumes.
OpenPGP and OpenPGP-compatible programs
OpenPGP is an Internet standard that specifies how PGP (Pretty Good Privacy) and similar software must operate for encrypting and decrypting data. The OpenPGP standard is contained in RFC 4880.
GnuPG implements the OpenPGP standard, and is available for different platforms in packages that include Gpg4win, GPGTools, and OpenPGP Studio.
Considerations for generating encryption keys
Regardless of which software you use, there are certain parameters that you must provide, including the following:
Algorithm: the primary key and sub-key category, such as RSA or DSA. Use RSA.
Key size: such as 1024 bits, 2048 bits, or 4096 bits. Keys must be at least 2048 bits long. Nasuni rejects any key that is not at least 2048 bits long.
Expiration: such as 1 year, 2 years, 4 years, 8 years, or no expiration. Nasuni requires no expiration.
Passphrase: long, unguessable collection of letters, numbers, and special characters. Nasuni recommends using a passphrase, which you must remember.
File type: .asc, .gpg, and .pgp are all OpenPGP-compatible file types. Nasuni accepts any OpenPGP-compatible file type.
Generating encryption keys
Each of the third-party encryption key packages is different. In general, these are the steps required:
Create a key pair.
Choose to create a new certificate.
Choose to create a “personal OpenPGP key pair”.
Enter any details required, such as a name, contact information, and comments. These details can be fictitious.
Select the key type or encryption algorithm, such as RSA or DSA. You must use RSA. Nasuni only works with RSA.
Select the key size or key strength. Keys must be at least 2048 bits long. Nasuni rejects any key that is not at least 2048 bits long.
Select the expiration date or expiry date or time until expiration. Nasuni requires no expiration.
Select the certificate usage or key usage. Usually, multiple usages are possible. Ensure that encryption is one of the selected usages.
Enter a passphrase. The passphrase should be a long, unguessable collection of letters, numbers, and special characters. Nasuni recommends using a passphrase. You must manage the passphrase for the encryption key, because when you import the encryption key into Nasuni, you must enter the passphrase.
The key pair is created.
If it is part of your enterprise’s security policy, make a backup of your key pair by downloading the key pair to your computer and safeguarding it.
Generate or export a secret key or encryption key.
Use the key pair that you have just generated.
Select a file type for the secret key file. Nasuni accepts any OpenPGP-compatible file type, such as .asc, .gpg, or .pgp.
The secret key or encryption key file is generated.
You must be able to access this key file in order to upload the encryption key to the Nasuni Edge Appliance.
Handling encryption keys
After you have generated an encryption key, the result is a file with a .asc, .gpg, or .pgp extension.
After generating your encryption keys, you must store them securely. You can either do this yourself, or use a third-party encryption key management or escrow service. Several of the third-party encryption key software packages above also include encryption key management.
After you upload your encryption key, you can request that Nasuni escrow your encryption key. Nasuni recommends that you take care of your encryption keys yourself, but does provide this service.
Note: If you do not escrow your encryption key with Nasuni, then you must provide your encryption key should you need to recover your data. Without the encryption key, data in the volume cannot be recovered.
Importing encryption keys
To use your encryption keys with the Nasuni Edge Appliance, you must upload or import your encryption keys. You can do this using the Nasuni Edge Appliance user interface, on the Encryption Keys page on the Configuration menu. Alternatively, you can do this using the NMC, on the Filer Encryption Keys page.
For security reasons, encryption keys that you upload cannot be downloaded from the system.
Tip: You can also upload encryption keys using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.
After an encryption key is imported, you can add the encryption key to a volume.
Imported encryption keys are not automatically escrowed. You MUST SAVE all imported encryption keys to another location outside the Nasuni Edge Appliance, so that they are available if needed for recovery. All encryption keys associated with a volume must be recovered as part of the recovery process.
Note: If an uploaded encryption key has an associated passphrase, that passphrase is removed from the encryption key when it is uploaded. The Edge Appliance does not need the passphrase in order to use the encryption key. However, if you do not escrow this encryption key, if you ever perform a recovery procedure on the Edge Appliance, you must provide that passphrase when you upload that encryption key during the recovery procedure.