Working with Storage Keys
Storage keys encrypt data on object storage media only. The article below only applies to AWS S3, Custom S3, and GCP storage. Using storage-level encryption with CloudSoda effectively ensures data remains secure when added, stored, or retrieved from CloudSoda storage. This section details how to generate a storage key, add it to storage and run data movement tests to verify data encryption. Additionally, this section presents best practices for working with storage keys.
Generate a Storage Key
Storage keys are generated using the soda storagekey command and then added to CloudSoda to be available to pair with storage. Currently, CloudSoda supports only AES-256 encryption keys. To generate a storage key:
- Run the soda storagekey command from the CloudSoda agent, with optional parameters for MD5 and SHA256 hashes. One or both hashes can be used to authenticate the storage key against the key value entered in CloudSoda.
soda storagekey --type=aes256 --sha256 --md5
The command returns the storage key and hashes (optional).
key: 792b0fe36b3d12df6c841b336be3b28ee4575976407820bae44188b7ac8a7cef md5 hash: 6686e8e7bfcfde756676e891fc133d23 sha256 hash: a4dc6fe4cd8c6820825c6b39e6914b718f50650728808ac2fbb68dafc1845e1f
-
Securely store the security key. In the next procedure, you will use it to create a storage key in CloudSoda.
IMPORTANT: CloudSoda does not have access to security keys. Once the security key is uploaded into CloudSoda, you cannot retrieve it from the system. We strongly recommend that you use an encryption key management policy to protect, store, organize, and distribute your security keys.
Create the Storage Key
- Click Keys at the top-right of the Storage screen.
- Click Add Key.
The Create a Storage Key dialog box displays.
- Create the storage key.
- In the Name field, enter a name for the storage key.
- In the Key field, paste in the generated storage key.
- Click Save.
- After the storage key is created, it appears in the key list on the Storage screen.
Validate the Storage Key
If you created an MD5 and/or SHA256 hash when the storage key was generated, use the hash to validate the storage key in CloudSoda before moving any data.
- Click Keys at the top-right of the Storage screen
- Select the newly-created storage key.
CloudSoda's MD5 and SHA256 hashes are displayed on the Storage Key screen. - Use the hashes to validate that the storage key entered is the same key string that CloudSoda received.
- Once you have validated the key string, safely secure the storage key. If you cannot verify the storage key against the hashes, delete it from CloudSoda and create a new storage key.
IMPORTANT: Use an encryption key management policy to store the key securely. Do not keep the security key in CloudSoda expecting to retrieve it. We highly recommend hashing the storage key before moving any data with CloudSoda.
Create New Storage and Assign the Storage Key
After creating and hashing the storage key, assign it to storage in CloudSoda. We require using net-new storage with storage keys, the bucket must not have any data in it when you associate a storage key. If CloudSoda storage contains existing data and you add a storage key to that storage, then CloudSoda will only be able to manage the newly-encrypted data. All existing unencrypted data will no longer be accessible to CloudSoda.
Use the Creating Storage and Configuring Storage procedures to create new storage and select a storage key to assign to it. Currently, only AWS S3, GCP, and Custom S3, storage types are compatible with storage keys in CloudSoda.
IMPORTANT: When considering cloud storage types to use, verify that the selected cloud provider is truly compatible with storage keys. Some providers claim compatibility but may not actually work with encrypted data in CloudSoda. After you add storage in CloudSoda and assign a storage key to it, follow the steps in the next procedure to verify storage compatibility.
Verify Data Movement in the New Storage
Verify data movement in the new storage bucket to ensure that data will be encrypted, stored, and decrypted as expected. We strongly recommend that you validate the movement of test data using the storage key with a storage-key compatible cloud storage and CloudSoda before managing live data.
- Use CloudSoda to send test data (one or more files) to the selected storage with an assigned storage key. CloudSoda uses the storage key to encrypt the data on the storage target.
- Have a user attempt to access the test data on the storage target (via CLI or UI). The user should be able to retrieve the files, but they should not be able to read encrypted contents (as long as the storage key is in use and compatible with the storage type and cloud provider). The only way to retrieve the encrypted data through CloudSoda is to use the storage key.
- Use CloudSoda to retrieve the test files from storage and check the downloaded files to confirm they are properly decrypted and readable.
Best Practices for Working with Storage Keys
Follow these best practices when working with storage keys to reduce the risk of data loss.
-
Use net-new storage, no mixed storage
When you create a storage key, plan to use it with net-new storage in CloudSoda. Do not attempt to use the storage key with a hybrid storage bucket containing both encrypted and unencrypted data. CloudSoda cannot manage mixed buckets and all requests to move unencrypted data will fail.
-
Use an encryption key policy to manage storage keys
Use an encryption key management policy to safely store and retrieve your storage keys. CloudSoda does not store encryption keys and it cannot retrieve them.
-
Verify encrypted data movement in CloudSoda storage
Hash the storage key before you assign it to cloud storage in CloudSoda and move test data to validate the encryption behavior before loading any live data into storage.
-
Verify storage provider compatibility
When working with storage keys in CloudSoda, verify that the selected cloud storage provider is truly compatible with storage key encryption by running data movement tests.
Comments
0 comments
Please sign in to leave a comment.