The primary purpose of the File Fabric encryption feature is to protect a users/companies files on local and remote storage resources, such as Object Storage, Dropbox, Google Drive etc, and to achieve this in an easy and seamless manner.
When files are encrypted in by the File Fabric, users cannot access or share them directly from the storage service. The files need to be accessed through the File Fabric web or app clients because the key to decrypt the data is stored, encrypted, on the File Fabric server instance.
Encryption is an in important part of the forthcoming General Data Protection Regulations (GDPR) as it protects personal (and company) data so even if a remote service is breached the data is rendered useless as it cannot be accessed.
As the encryption keys are stored only on the File Fabric server this eliminates exposure of data accessible directly on storage endpoints. For companies who deploy the File Fabric on-premises this is a strong solution for data protection. Service Providers who deploy the File Fabric in a multi-tenant fashion to many end user companies required a way to be able to enable their user base to manage their own keys if they so desired.
To this end the updated Storage Made Easy File Fabric now supports seamless integration with Vault by HashiCorp. Vault is an enterprise grade centralised secret management platform which can be used for any application and any infrastructure.
Keys for data encryption / decryption can now be stored in a Vault instance and be called on demand by the File Fabric as needed.
Before we get started, you will need to ensure your Vault instance is publicly accessible and will need your vault URL along with the Authentication token.
Lets log into your appliance as the File Fabric Team Admin for you organization. Once logged in, select options from the menu at the top right-hand side of the screen.
Once you are in the organization options screen, you will need to configure the Key Management System settings to point to your Vault instance. To do this, hit the Key Management System button as shown in the above picture.
Change the encryption key management system from default to Vault, then enter your Vault URL and Authentication token. To ensure the connection works, hit the Test Settings button. This should give you a pop up window saying that the connection is OK.
After you have tested the connection and confirmed it is all working correctly, hit the Set Key Management System button and it’s as simple as that.
You can retrieve your encryption key with a simple command on your vault server.
# curl https://vault-demo.example.com:8200/v1/secret?list=true --tlsv1 -k -H "X-Vault-Token: 6ab11751-590b-d030-bd2b-4f17887deb84"
You will need to change the end point above to your Vault URL and also change the token to your token.
In summary the Vault integrated solution enables customers to store encryption keys using Vault on-premises or on IaaS Clouds such as Amazon AWS, Microsoft Azure, etc.
This concludes the end of Part 1. In Part 2 we we will take a look at best practices for Vault Setup when managing Keys.