Using AFM with encryption

AFM supports file encryption. Encryption can be applied to AFM-managed filesets.

AFM home sites and cache sites can be enabled with encryption, independent of each other. The data is encrypted while at rest (on disk) and is decrypted on the way to the reader/application hosted on home and caches; however, AFM communication between home and cache is not encrypted.

With the data that is flowing between home and cache filesets not being encrypted by the adoption of file encryption, communication between the clusters needs to be encrypted explicitly (if the privacy of the data over the network is a concern), by ensuring that a cipher list is configured. To ensure that the data is transmitted in the encrypted form, a cipher other than AUTHONLY must be adopted. AES128-GCM-SHA256 is one of the recommended ciphers. Run the mmauth show command to view the cipher lists used to communicate within the local and with the remote clusters. To ensure that all file content on disk and on the network is encrypted, configure file encryption at home and on the caches. Also configure a cipher list on all the clusters, ensuring that ciphers are configured within and across clusters. Even though file encryption results in the data being transmitted in the encrypted form between NSD clients and servers (both directions), neither file metadata nor RPC headers are encrypted. Only the use of encrypted communications (cipher list) ensures that the entire message content gets encrypted.