“With Qumulo making industry-standard AES-256 encryption a standard in their solution, I never need to worry about if my data is at risk.”
– Hanoz Elavia, Storage Administrator at Atomic Cartoons.
Inherent in every Qumulo system, and implemented by default, are a pair of controls intended to ensure the security of all data from corruption, loss, or intrusion at the level of the media the data is written on.
Software-based data encryption at rest
The first of these features ensures that all data on an on-premises Qumulo cluster is automatically encrypted as it’s written to disk using an AES 256-bit compliant algorithm, ensuring that all data on a Qumulo system is secured against bad actors even if they are able to gain physical access to the disk itself.
For on-premises deployments, software encryption is part of the file system stack. The encryption algorithm initializes as part of the initial cluster build process, and compasses all file system data and metadata at the block level.
Keys are used to encrypt data, as well as to encrypt data keys themselves. A master key is utilized and stored on every boot drive in the cluster, in a file that only root can access, adding an extra layer of security.
Qumulo clusters in the cloud rely on block-level encryption within the cloud-storage layer, thereby ensuring that all at-rest data on any Qumulo instance is fully encrypted regardless of location.
FIPS 140-2 compliant encryption
While data encryption at rest is a standard component of nearly every enterprise platform, not all encryption algorithms are engineered to the same standard. Many enterprises, including government agencies and customers in some regulated industries require compliance with Federal Information Processing Standards (FIPS) as a core component of their security policies.
Qumulo’s software-based encryption module is certified as compliant with FIPS 140-2 requirements. For enterprise customers that require FIPS-compliant data services, the Qumulo security module that includes at-rest data encryption is bundled and versioned separately from the rest of the software stack. This will allow these customers to upgrade their Qumulo firmware separately from the security module and maintain their FIPS-compliant status.
For more information about Qumulo’s at-rest data encryption and FIPS compliance, please see the Software-based encryption section in the Appendix at the end of this document.
If FIPS-compliant data services are required for cloud-based Qumulo deployments, please refer to the cloud vendor’s specific statements regarding their FIPS status.
Learn more
- Download the latest Security Architecture and Practices white paper
- Read Part 1 of the Qumulo ransomware blog series: How to Use Qumulo’s Built-in Security Controls for Data Protection
- Read Part 2 of the Qumulo ransomware blog series: How to Use Qumulo’s Built-in Security Controls for Data Protection
- Read Part 3 of the Qumulo ransomware blog series: Recovering from Ransomware Attacks
Contact Us
- Click here to schedule a meeting.
- Subscribe to the Qumulo blog for customer stories, technical insights, and product news.