(DARE) Data-At-Rest Encryption in CentreStack

Administrators can create Tenants and enable Data-At-Rest Encryption (DARE). Once it is enabled, it ensures that Tenant data is secured and also encrypted in Cloud storage. This ensures that no one other than the Tenants and its Users will be able to read the contents of the files from the Cloud storage directly.

NOTICE:

• DARE can only be enabled on an empty tenant. If the tenant already contains data, enabling DARE will not encrypt the existing data. It will only encrypt data uploaded after that. Users can not read existing data anymore.
• Please keep the key safe. If you lost the key and the Centrestack server crashes, no one can read the encrypted data. 

Setup DARE when creating a new tenant

As cluster admin on web portal, under Tenant Manager, create a new tenant.

After type in the tenant admin information, click CONTINUE

To enable DARE for the tenant, check the setting 'Show Data-At-Rest Encryption configuration on page (Requires empty storage container)', in tenant Advanced settings. Click CONTINUE.

After setup the tenant's backend storage, the tenant is created. Keep in mind the backend storage selected for the tenant should be empty.

After the tenant is created, login as tenant admin on web portal.

In the very first login, Centrestack will confirm the tenant's backend storage is empty. Then it shows the DARE setup page. If the storage contains existing data, the DARE setup page will not show.

In DARE Setup, check 'Enable data at rest encryption' and specify the DARE password. Please keep the password safe. Once specified, it is encrypted and stored in the database. We don't have a way to decrypt it. The password is useful if Centrestack server crashes and you need to rebuild the service.

Encrypt tenant when it already contains data

Once a tenant is created and data uploaded, cannot enable DARE to the tenant. Enabling DARE will not encrypt the existing files.

If cluster admin has to enable DARE for an existing tenant, the only option is to migrate the tenant's backend storage to a new location. During the migration, can enable DARE. It is not suggested to do that for a large tenant.

To migrate the backend storage for a tenant, login as Cluster Admin on web portal. Edit the tenant. Go to tenant Settings, Folder & Storage. Here, see Backend Storage on the top right corner. Select 'Migrate to new storage'.

Follow the migration wizard to setup the new storage. In the migration summary, enable 'Change data-at-rest encryption Setting', then check 'Enable Data-at-Rest Encryption'. Specify the DARE key and click CONTINUE.

Finish the migration wizard.

Once the migration is setup, on tenant Settings, Folder & Storage, Background Tasks, see the migrate task here. Once the task finishes, the whole tenant's data is migrated to the new location, with DARE enabled.

The storage migration may take some time. In the process, all users under the tenant should not upload any files to the cloud. Have to plan it carefully.