Client Side Compression and Encryption
Beginning with StorNext 5 release 5.3, support for Encryption and Compression with Q-Cloud policies has been added. Both client side compression and client side encryption are enforced and configured as a Policy class attribute. To enable client side encryption for a policy class, a master key must be selected. If a master key does not exist, create a master key first. Master keys are created and managed by the command
fskey. Refer to the StorNext 5 MAN Pages Reference Guide for the various policy class commands.
fskey adds, modifies and reports master keys used in the client-side encryption feature in the Quantum storage system. The command can also be used to generate a new data protection key associated with a specific master key. A data protection key (DPK) is used to encrypt data content before it is uploaded to an Object Storage when the client-side encryption is enabled, while master keys are used to wrap (encrypt) data protection keys.
A master key’s content is derived from a user-supplied passphrase. Each master key has a unique name. This unique key name can be assigned to a particular policy if the client-side encryption feature is enabled for this policy. The key content of a master key can be changed by providing a new passphrase. In this case, a new master key instance is created. The old instance is then removed after all data protection keys wrapped by the old instance are rewrapped by the new instance.
For additional information, see Tools > Storage Manager > Client-side Encryption.
qcloud_audit utility generates a peer device key file containing CSV list of files stored to Q-Cloud in the given output directory. Execute the command
qcloud_audit -h to display a list of arguments and the usage description of the tool.
The CSV list contains the following for each file stored to Q-Cloud:
Displays the path from the relation point to the file.
Displays the name of the file.
Displays the ID of the file owner.
Displays the encryption type:
Displays the name of the bucket where the file is stored.
Displays the object ID of the file.
Displays the time-stamp of the file's last modification in the form:
Displays the time-stamp when the Q-Cloud copy batch was completed in the form:
For example, execute the following command:
The command generates a CSV file titled "Qcloud_1.audit" (assume the device key is 1). The content of the file contains information similar to the following:
path2, file2, 456, 1, bucket1, 000002, 07-09-2015:19:24:13, 07-09-2015:19:24:54
path3, file3, 789, 2, bucket1, 000003, 07-09-2015:19:24:13, 07-09-2015:19:24:54
Note: The time required to complete the command is directly proportional to the number of files stored to Q-Cloud.
Note: The output of the Q-cloud audit log can reach up to 6GB per million copies stored. Ensure your system contains sufficient storage space before running the audit process.
Beginning with StorNext 5 release 5.3, with compression and encryption for Q-Cloud devices, you can request to view compression and encryption usage information. The compression and encryption usage information is reported by the command
Execute the command
fsobjinfo to generate the compression and encryption usage report. The command
fsobjinfo produces a summary usage report for object store media. Object store usage is summarized based on object store media ID and policy class ID. Reported usage can be limited to the optionally specified set of policy class IDs or object store media IDs.
In order to generate accurate reports, existing Q-Cloud Archive usage must be accounted for. The usage information in the
filecomp table must be populated in the
classobj_info tables. The command
qcloud_migrate.pl provides the capability; execute the command
qcloud_migrate.pl after you upgrade your system to StorNext 5 release 5.3 (or later).
The full path of the command is:
Note: Your system will operate normally without execution of the
- You can execute the command anytime after an upgrade to StorNext 5 release 5.3 (or later).
- Execute the command
- The compression and encryption usage report may not be accurate if your system contains existing Q-Cloud Archive devices.
- If your system does not contain existing Q-Cloud Archive devices, do not execute the command