Enabling Storage Encryption

If a FIPS-enabled FileCloud license is installed, there is an option in the Admin Portal to enable FileCloud to run in FIPS mode in FileCloud Server version 19.1 and later.

As an administrator, you can encrypt managed disk storage for compliance and security reasons.

To enable storage encryption:

Before you can enable encryption, you must meet the following requirements:

Requirements
RequiredMemcached installation
Only required if default path
for openssl.cnf has been changed.

Set your custom path to the SSL configuration file by overriding the config value of SSL_CONF_FILE in cloudconfig.php.
By default, SSL_CONF_FILE is set to

Windows:  XAMPP_HOME\php\extras\ssl\openssl.cnf
Linux: /etc/ssl/openssl.cnf

In Windows, for example, if you have XAMPP installed in D:\xampp, then add the following line to cloudconfig.php.
define("SSL_CONF_FILE","D:\\xampp\\php\\extras\\ssl\\openssl.cnf");

By default, the encryption module is not enabled.

You can enable the encryption module in two ways:

  • If FIPS mode is active:
    In order to ensure FIPS Mode is on, enable the FIPS Admin Banner by accessing (WEBROOT/config/localstorageconfig.php file ) and adding the following:
    define("TONIDOCLOUD_FIPS140_ENABLED", 1);

  • If you don't use FIPS mode:
    Edit the WEBROOT/config/localstorageconfig.php file.
    Add the following line:

    Additional Parameter To Enable Encryption
    define("TONIDO_LOCALSTORAGE_INCLUDEENCRYPTION", 1 );

    where:

    Parameter

    Expected Value

    Additional Notes

    TONIDO_LOCALSTORAGE_INCLUDEENCRYPTION

    1

    1 - enable encryption for local managed storage

    0 - disable encryption

After you enable the encryption module, the admin portal displays the encryption option.

Master Password

If an optional master password is specified, then retain the password for future use.

Without this password the encryption module cannot encrypt or decrypt files in FileCloud storage.

To manage encryption:

  1. Open a browser and log in to the admin portal. 
  2. From the left navigation pane, under SETTINGS, select Settings.
  3. Select the Storage tab and then the My Files sub-tab.
  4. An Encryption option now appears.


  5. To open the Manage Storage Encryption screen, click Manage

     

    You can set an optional password

    • When you set a password while enabling encryption, you may create a recovery key.
    • This recovery key is a private key file, which can be used to reactivate the encrypted filesystem in the case of a lost password.

    If the recovery key option is selected, the recovery key file becomes available only once for download.

    • Once the recovery key is downloaded, the option to download it is not shown again.


  6. To set an optional password, in Encryption Password, type in a strong password.
  7. To perform the necessary initialization of the encryption module, click Enable Encryption.




Once encryption is successfully initialized, another step is necessary if your FileCloud server had existing files in local storage.

If your local storage already contains files:

If there are unencrypted files in the existing storage system, another screen is shown.

  1. Click Encrypt All  to encrypt the existing files.
  2.  When all the existing files are encrypted, the status window provides you with a Note.
     

If your local storage doesn't contain pre-existing files:

  • You will not see an Encrypt All button.
  • Your system is already in a fully-encrypted state.