Using AFM with encryption

AFM supports file encryption. Encryption can be applied to AFM-managed filesets.

AFM home sites and cache sites can be enabled with encryption, independent of each other. The data is encrypted while at rest (on disk) and is decrypted on the way to the reader or application that is hosted on home and caches. However, AFM communication between home and cache is not encrypted.

With the data that is flowing between home and cache filesets not being encrypted by the adoption of file encryption. The communication between the clusters needs to be encrypted explicitly (if the privacy of the data over the network is a concern) by ensuring that a cipher list is configured. To ensure that the data is transmitted in the encrypted form, a cipher other than AUTHONLY must be adopted. AES128-GCM-SHA256 is one of the recommended ciphers.

Run the mmauth show command to view the cipher lists used to communicate within the local and with the remote clusters. To ensure that all file content on disk and on the network is encrypted, configure file encryption at home and on the caches. Also, configure a cipher list on all the clusters, ensuring that ciphers are configured within and across clusters. Because of the file encryption, the data is transmitted in the encrypted form between NSD clients and servers (both directions). However, the file metadata or RPC headers are encrypted. Only the use of encrypted communications (cipher list) ensures that the entire message content gets encrypted.

If the NFS protocol is used for communication between the home and cache clusters, and privacy of the data over the network is a concern, then to encrypt the NFS transfers you need to set up an encrypted tunnel. If a cluster configured as cache includes an encrypted file system, then all nodes in the cluster, and especially the gateway nodes, require access to the Master Encryption Keys.

For encryption setup, see Encryption.