Client Side Compression and Encryption

Beginning with StorNext 5 release 5.3, support for Encryption and Compression with Q-Cloud policies has been added. Both client side compression and client side encryption are enforced and configured as a Policy class attribute. To enable client side encryption for a policy class, a master key must be selected. If a master key does not exist, create a master key first. Master keys are created and managed by the command fskey. Refer to the StorNext 5 MAN Pages Reference Guide for the various policy class commands.

For example:

  • fsaddclass
  • fsmodclass
  • fsrmclass
  • fsclassinfo
  • fskey

The command fskey adds, modifies and reports master keys used in the client-side encryption feature in the Quantum storage system. The command can also be used to generate a new data protection key associated with a specific master key. A data protection key (DPK) is used to encrypt data content before it is uploaded to an Object Storage when the client-side encryption is enabled, while master keys are used to wrap (encrypt) data protection keys.

A master key’s content is derived from a user-supplied passphrase. Each master key has a unique name. This unique key name can be assigned to a particular policy if the client-side encryption feature is enabled for this policy. The key content of a master key can be changed by providing a new passphrase. In this case, a new master key instance is created. The old instance is then removed after all data protection keys wrapped by the old instance are rewrapped by the new instance.

For additional information, see Tools > Storage Manager > Client-side Encryption.

The qcloud_audit utility generates a peer device key file containing CSV list of files stored to Q-Cloud in the given output directory. Execute the command qcloud_audit -h to display a list of arguments and the usage description of the tool.

The CSV list contains the following for each file stored to Q-Cloud:

Parameter Description

Path

Displays the path from the relation point to the file.

Name

Displays the name of the file.

Owner

Displays the ID of the file owner.

Entype

Displays the encryption type:

  • 0 for none
  • 1 for server
  • 2 for client

Namespace

Displays the name of the bucket where the file is stored.

Objid

Displays the object ID of the file.

Modtime

Displays the time-stamp of the file's last modification in the form:

mm-dd-yyyy:hh:mm:ss

Addtime

Displays the time-stamp when the Q-Cloud copy batch was completed in the form:

mm-dd-yyyy:hh:mm:ss

For example, execute the following command:

qcloud_audit -o /var/tmp

The command generates a CSV file titled "Qcloud_1.audit" (assume the device key is 1). The content of the file contains information similar to the following:

path1, file1, 123, 0, bucket1, 000001, 07-09-2015:19:24:13, 07-09-2015:19:24:54

path2, file2, 456, 1, bucket1, 000002, 07-09-2015:19:24:13, 07-09-2015:19:24:54

path3, file3, 789, 2, bucket1, 000003, 07-09-2015:19:24:13, 07-09-2015:19:24:54

Note: The time required to complete the command is directly proportional to the number of files stored to Q-Cloud.

Note: The output of the Q-cloud audit log can reach up to 6GB per million copies stored. Ensure your system contains sufficient storage space before running the audit process.

Beginning with StorNext 5 release 5.3, with compression and encryption for Q-Cloud devices, you can request to view compression and encryption usage information. The compression and encryption usage information is reported by the command fsobjinfo.

Execute the command fsobjinfo to generate the compression and encryption usage report. The command fsobjinfo produces a summary usage report for object store media. Object store usage is summarized based on object store media ID and policy class ID. Reported usage can be limited to the optionally specified set of policy class IDs or object store media IDs.

In order to generate accurate reports, existing Q-Cloud Archive usage must be accounted for. The usage information in the filecomp table must be populated in the filecomp_obj and classobj_info tables. The command qcloud_migrate.pl provides the capability; execute the command qcloud_migrate.pl after you upgrade your system to StorNext 5 release 5.3 (or later).

The full path of the command is: /usr/adic/TSM/util/install/qcloud_migrate.pl

Note: Your system will operate normally without execution of the qcloud_migrate.pl command.

  • You can execute the command anytime after an upgrade to StorNext 5 release 5.3 (or later).
  • Execute the command qcloud_migrate.pl only once.
  • The compression and encryption usage report may not be accurate if your system contains existing Q-Cloud Archive devices.
  • If your system does not contain existing Q-Cloud Archive devices, do not execute the command
    qcloud_migrate.pl.