Elastic Cloud Storage (ECS)

Version 3.0

Security Configuration Guide

302-003-224
05
Copyright © 2013-2017 Dell Inc. or its subsidiaries. All rights reserved.

Published April 2017

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
Published in the USA.

Dell EMC
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.DellEMC.com

2 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

CONTENTS

Figures 5

Tables 7

Chapter 1 Security Configuration Settings 9

Overview.....................................................................................................10
User authentication.....................................................................................10
Default accounts............................................................................ 10
Authentication configuration..........................................................10
Configuring an authentication provider.......................................... 10
Administrator group in geo-federated deployments........................ 11
User authorization....................................................................................... 11
User roles........................................................................................11
System Admin.................................................................................11
System Monitor.............................................................................. 11
Namespace Admin..........................................................................12
Lock Admin.................................................................................... 12
ECS pre-provisioned user accounts............................................................ 12
ECS Regulatory Compliance certifications and standards........................... 12
Compliance certifications (verified by Cohasset Associates, Inc.)....
12
How ECS meets Compliance regulations with ECS security features
.......................................................................................................13
ECS port assignments.................................................................................15
Ports to open for NFSv3 UNIX clients............................................15
ECS nodes to ECS nodes in other sites.......................................... 15
ECS nodes to network infrastructure............................................. 15
Web service clients to ECS nodes.................................................. 16
Management access to ECS nodes................................................ 16
Management access to ECS nodes' RMM ports.............................17
ESRS and xDoctor ports.................................................................17
Port assignments for systems with Network Separation................ 18
Network encryption.................................................................................... 19
Data security settings................................................................................. 19
Data at Rest Encryption (D@RE)............................................................... 20

Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide 3

CONTENTS

4 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

FIGURES

1 Enable Compliance on a new namespace in the ECS Portal.........................................14

2 Data Encryption Using System Generated Keys......................................................... 24
3 Encryption of the Master Key in a Geo-replicated Environment................................. 25

Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide 5

FIGURES

6 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

TABLES

1 Default user accounts and password...........................................................................10

2 Supported external authentication methods............................................................... 10
3 ECS nodes to ECS nodes in other sites....................................................................... 15
4 ECS nodes to network infrastructure..........................................................................15
5 Web service clients to ECS nodes............................................................................... 16
6 Management access to ECS nodes............................................................................. 16
7 RMM dedicated ports..................................................................................................17
8 Dedicated ESRS and xDoctor ports.............................................................................17
9 Designated Data network ports................................................................................... 18
10 Designated Management network ports......................................................................19
11 Designated Replication network ports.........................................................................19

Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide 7

TABLES

8 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

CHAPTER 1
Security Configuration Settings

l Overview............................................................................................................ 10
l User authentication............................................................................................ 10
l User authorization............................................................................................... 11
l ECS pre-provisioned user accounts.................................................................... 12
l ECS Regulatory Compliance certifications and standards...................................12
l ECS port assignments........................................................................................ 15
l Network encryption............................................................................................ 19
l Data security settings.........................................................................................19
l Data at Rest Encryption (D@RE).......................................................................20

Security Configuration Settings 9

Security Configuration Settings

Overview
This guide provides an overview of security configuration settings available to ensure
the secure operation of ECS.

User authentication
User authentication settings control the process of verifying an identity claimed by a
user for accessing the product.
ECS authenticates users logging in at the administration interface and Web-services
users. It ensures that authenticated users are able to perform only the actions for
which they have permissions through role or through object ACLs and UIDs.

Default accounts
Table 1 Default user accounts and password

User account Password Description

root ChangeMe Default root user account. It
can be used to access the
portal and is, by default,
assigned to the System Admin
role. Upon initial login, the
root user will be prompted to
change the default password.

Authentication configuration
To enable a flexible security configuration, ECS supports user management through
the authentication providers described in the following table.

Table 2 Supported external authentication methods

Authentication Description
method
LDAP As a best practice, the Active Directory filter should be configured so
only a system administrator can log in.
Active Directory
ECS supports groups for AD.

Configuring an authentication provider

To ensure that a user or group is uniquely identifiable, when configuring a single
authentication provider that spans multiple domains it is advisable to use an attribute
which uniquely identifies the group.
For example, the common name can be used if the name attribute is unique for all
items within the group.

10 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

Administrator group in geo-federated deployments

It is recommended that you have more than one System Admin user or group located
in distinct domains in a geo-distributed environment. If a domain in a geo-distributed
environment becomes unavailable, and all System Admin users or groups are located
on that domain, then access to all System Adminusers users or groups are not
accessible.

User authorization
User authorization settings control rights or permissions that are granted to a user or
group to access a resource managed by the product.

User roles
ECS defines roles to determine the operations that a user account can perform at the
ECS Portal or when accessing ECS using the ECS Management REST API.
Management users and groups can be assigned to administration roles in ECS and can
be either local users or domain users. Roles can also be assigned to Active Directory
group names.
The following management roles are defined:
l System Admin on page 11
l Namespace Admin on page 12

System Admin
The System Admin role can configure ECS and specify the storage used for the object
store, how the store is replicated, how tenant access to the object store is configured,
and which users have permissions on an assigned namespace.
The System Admin can also configure namespaces and perform namespace
administration, or can assign a user who belongs to the namespace as the Namespace
Admin.
The System Admin has access to the ECS Portal and system administration operations
can also be performed from programmatic clients using the ECS Management REST
API.
Because management users are not replicated across site, a System Admin must be
created at each VDC that requires one.

System Monitor
The System Monitor role can view all ECS Portal data, but cannot make any changes.
The System Monitor role can view all ECS Portal data, but cannot provision the ECS
system. The monitor cannot create, update, or delete storage pools, replication
groups, namespaces, buckets, users and so on through the portal or ECS management
API. Monitors cannot modify any other portal setting except their own passwords.
Because management users are not replicated across sites, a System Monitor must be
created at each VDC that requires one.

Administrator group in geo-federated deployments 11

Security Configuration Settings

Namespace Admin
The Namespace Admin is a management user who can access the ECS Portal and can
assign local users as object users for the namespace and create and manage buckets
within the namespace. Namespace Admin operations can also be performed using the
ECS Management REST API.
A Namespace Admin can only be the administrator of a single namespace.
Because authentication providers and namespaces are replicated across sites (they
are ECS global resources), a domain user who is a Namespace Admin can log in at any
site and perform namespace administration from that site.
Local management accounts are not replicated across sites, so a local user who is a
Namespace Admin can only log in at the VDC at which the management user account
was created. If you want the same username to exist at another VDC, the user must
be created at the other VDC. As they are different accounts, changes to a same-
named account at one VDC, such as a password change, will not be propagated to the
account with the same name at the other VDC.

Lock Admin
The Lock Admin is a management user who can lock and unlock nodes.
The Lock Admin is a role that allows the user to lock and unlock nodes from the ECS
Portal or the ECS Management API. "Locking" a node is the ability to disable remote
SSH access to the nodes. The Lock Admin is a pre-provisioned local user called
emcsecurity. The Lock Admin can only change their passwords and lock and unlock
nodes. The Lock Admin role cannot be assigned to another user.

ECS pre-provisioned user accounts

Describes pre-provisioned ECS Portal and ECS Management API accounts and pre-
provisioned node-level accounts.
On installation, ECS creates accounts to allow for the initial and ongoing configuration
of the product. There are two types of accounts:
l Accounts allowing system access with the ECS Portal and the ECS Management
API (user accounts)
l Accounts allowing access to the operating system of the ECS nodes (node
accounts)

ECS Regulatory Compliance certifications and standards

Compliance certifications (verified by Cohasset Associates, Inc.)

The ECS Appliance meets the storage requirements for the following standards, as
certified by Cohasset Associates, Inc.:
l Securities and Exchange Commission (SEC) in regulation 17 C.F.R. § 240.17a-4(f)
l Commodity Futures Trading Commission (CFTC) in regulation 17 C.F.R. § 1.31(b)-
(c)
See the intensive, 27-page Assessment Report that outlines how the ECS Appliance
meets the required industry and federal certifications:

12 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

Dell EMC Elastic Cloud Storage (ECS: SEC 17a-4(f) and CFTC 1.31(b)-(c)
Compliance Assessment
You may obtain the report from:
https://www.emc.com/collateral/white-papers/ecs-sec-assessment-cohasset.pdf

How ECS meets Compliance regulations with ECS security features

This section describes ECS features that address the following government and
industry standards for the storage of electronic records:
l Platform hardening: Guards against common security vulnerabilities.
l Policy-based record Retention: Limits the ability to change retention policies for
records under retention.
l Compliance reporting: Periodic reporting by a system agent records the system's
Compliance status.

Platform hardening and Compliance

Describes the ECS security features supporting Compliance standards.
ECS platform security features:
l Root access to nodes is disabled; that is, no logins to the root account are
permitted.
l ECS customers can access nodes through the admin account which is established
at install time.
l Authorized admin account users run commands on nodes using sudo.
l There is full audit logging for sudo commands.
l ESRS provides the ability to shutdown all remote access to nodes. In ESRS Policy
Manager, set the Start Remote Terminal action to Never Allow.
l All unnecessary ports, like ftpd , sshd, and so on are closed.
l The ECS Lock Admin (login: emcsecurity) can lock nodes in a cluster. This
means that remote access over the network by SSH is disabled. The Lock Admin
can then unlock a node to allow for remote maintenance activities or other
authorized access. (Node locking does not affect authorized ECS Portal or ECS
Management API users.) See the ECS Administrator's Guide for information on
locking and unlocking nodes.

Compliance and retention policy

Describes enhanced rules for record retention on a compliance-enabled ECS system.
ECS has object retention features enabled or defined at the object-, bucket-, and
namespace-level. Compliance strengthens these features by limiting changes that can
be made to retention settings on objects under retention. Rules include:
l Compliance is enabled at the namespace-level. This means that all buckets in the
namespace must have a retention period greater than zero. For CAS, buckets with
zero retention can be created, provided that the Enforce Retention Information
in Object setting is enabled.
l Compliance can only be enabled on a namespace when the namespace is created.
(Compliance cannot be added to an existing namespace.)
l Compliance cannot be disabled once enabled.

How ECS meets Compliance regulations with ECS security features 13

Security Configuration Settings

l All buckets in a namespace must have a retention period greater than zero.

Note

If you have an application that assigns object-level retention periods, do not use
ECS to assign a retention period greater than the application retention period. This
action will lead to application errors.
l A bucket with data in it cannot be deleted regardless of its retention value.
l Using the Infinite option on a bucket mean objects in the bucket in a Compliance-
enabled namespace can never be deleted.
l The retention period for an object cannot be deleted or shortened. Therefore, the
retention period for a bucket cannot be deleted or shortened.
l Object and bucket retention periods can be increased.
l No user can delete an object under retention. This includes users with the CAS
privileged-delete permission.
Figure 1 Enable Compliance on a new namespace in the ECS Portal

14 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

Compliance agent
Describes the operation of the Compliance agent.
Compliance features are all enabled by default, except for Compliance monitoring. If
monitoring is enabled, the agent periodically logs a message to a thread.

Note

Make arrangements with Customer Support to enable Compliance monitoring.

Monitoring messages are available by command from the node. They do not appear in
the ECS Portal.

ECS port assignments

To deploy and operate ECS in a multi-site environment, specific ports must be opened
in the customer's firewall. The customer's network administrator must make sure
these firewall rules are in place.

Ports to open for NFSv3 UNIX clients

Open the following NFSv3 ports to enable file access from the NFS UNIX clients to
ECS nodes.
l Port 111
l Port 2049
l Port 10000
It's important to note:
l You must open these three ports in both directions for both TCP and UDP.
l The ECS firewall already has these open but anything between the ECS and client
should be modified.

ECS nodes to ECS nodes in other sites

Table 3 ECS nodes to ECS nodes in other sites

Port Protocol Direction Description

9094 TCP Bi-directional Geo Receiver (HTTP)

9096 TCP Bi-directional Data (HTTP)

ECS nodes to network infrastructure

Table 4 ECS nodes to network infrastructure

Port Proto Direction Description

col
25 TCP Outbound from ECS SMTP

ECS port assignments 15

Security Configuration Settings

Table 4 ECS nodes to network infrastructure (continued)

Port Proto Direction Description

col
53 TCP Outbound from ECS DNS

123 UDP Outbound from ECS NTP

389 TCP Outbound from ECS Active Directory

636 TCP Outbound from ECS Active Directory (SSL)

Web service clients to ECS nodes

Table 5 Web service clients to ECS nodes

Port Protoc Direction Description

ol
3218 TCP Bi-directional CAS API

3218 UDP Bi-directional CAS API

9020 TCP Inbound to ECS S3 Object API over HTTP

9021 TCP Inbound to ECS S3 Object API over HTTPS

9022 TCP Inbound to ECS ATMOS Object API over HTTP

9023 TCP Inbound to ECS ATMOS Object API over HTTPS

9024 TCP Inbound to ECS Swift Object API over HTTP

9025 TCP Inbound to ECS Swift Object API over HTTPS

9040 TCP Inbound to ECS HDFS Service

Management access to ECS nodes

Table 6 Management access to ECS nodes

Port Protoc Direction Description

ol
22 TCP Inbound to ECS SSH

80 TCP Inbound to ECS ECS Portal

443 TCP Inbound to ECS ECS Portal

4443 TCP Inbound to ECS ECS Management API

16 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

Management access to ECS nodes' RMM ports

Note

Management access is for ECS configuration, management, and for ESRS support. If
you connect directly to the same subnet as the ECS Appliance network, you can
ignore the ports for management access.

Table 7 RMM dedicated ports

Port Protoc Direction Description

ol
80 TCP Inbound to ECS RMM GUI

443 TCP Inbound to ECS RMM GUI

5120 TCP Inbound to ECS RMM Virtual CD-ROM

5123 TCP Inbound to ECS RMM command

7578 TCP Inbound to ECS RMM command

ESRS and xDoctor ports

Table 8 Dedicated ESRS and xDoctor ports

Port Protocol Direction Description

21 TCP Outbound from ECS Used by ConnectEMC
to ESRS Gateway on ECS 2.1.x and
below

25 TCP Outbound from ECS Used by ConnectEMC

to ESRS Gateway on ECS 2.1.x.
Used by xDoctor on
ECS 2.2 and later

443 TCP Outbound from ECS Used by ConnectEMC

to ESRS Gateway on ECS 2.1.x and
below

9443 TCP Outbound from ECS ESRS V3 Gateway on

to ESRS Gateway ECS 2.2 and later

22 TCP Inbound from ESRS ssh

Gateway to ECS scp
sftp

80 TCP Inbound from ESRS ECS UI http

Gateway to ECS

443 TCP Inbound from ESRS ECS UI https

Gateway to ECS

Management access to ECS nodes' RMM ports 17

Security Configuration Settings

Table 8 Dedicated ESRS and xDoctor ports (continued)

Port Protocol Direction Description

4443 TCP Inbound from ESRS ECS Management API
Gateway to ECS

Port assignments for systems with Network Separation

When ECS network traffic has been configured to use multiple purpose-specific
networks, port assignments will be the same, but the network the port is assigned to
will be different. Make sure your firewalls are configured to recognize these networks
and ports. The tables in this section identify the ports used for the:
l Data network
l Management network
l Replication network

Data network ports

Table 9 Designated Data network ports

Port Protocol Direction Description

22 TCP Inbound to ECS SSH

3218 TCP Bi-directional CAS API

3218 UDP Bi-directional CAS API

9020 TCP Inbound to ECS S3 Object API over

HTTP

9021 TCP Inbound to ECS S3 Object API over

HTTPS

9022 TCP Inbound to ECS ATMOS Object API

over HTTP

9023 TCP Inbound to ECS ATMOS Object API

over HTTPS

9024 TCP Inbound to ECS Swift Object API

over HTTP

9025 TCP Inbound to ECS Swift Object API

over HTTPS

9040 TCP Inbound to ECS HDFS Service

18 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

Management network ports

Table 10 Designated Management network ports

Port Protocol Direction Description

22 TCP Inbound to ECS SSH

25 TCP Outbound from ECS SMTP

53 TCP Outbound from ECS DNS

80 TCP Inbound to ECS ECS Portal

123 UDP Outbound from ECS NTP

389 TCP Outbound from ECS Active Directory

443 TCP Inbound to ECS ECS Portal

636 TCP Outbound from ECS Active Directory

(SSL)

4443 TCP Inbound to ECS ECS Management

API

Replication network ports

Table 11 Designated Replication network ports

Port Protocol Direction Description

22 TCP Inbound to ECS SSH

9094 TCP Bi-directional Geo Receiver

(HTTP)

9096 TCP Bi-directional Geo Data (HTTP)

Network encryption
The WAN connection from a node to a remote virtual data center node should be
encrypted using an HTTPS connection. Using another type of connection could result
in data exposure.

Data security settings

Data security settings enable definition of controls to prevent data permanently stored
by the product to be disclosed in an unauthorized manner.
When securing a federated deployment, it is advisable to configure the following:
l Ensure all traffic is encrypted across your data centers.
l Ensure all data leaving your data center from ECS is encrypted.

Network encryption 19
Security Configuration Settings

l Enable IP address whitelisting to ensure only authorized IP addresses are allowed

to access the geo-replication service.

Data at Rest Encryption (D@RE)

Describes ECS support for data-at-rest encryption (D@RE) which is also known as
server-side encryption.
D@RE support
Data at Rest Encryption (D@RE) is simple, low-touch server-side encryption. It
supports enterprises and service providers seeking to protect sensitive data on
storage media. It is a required feature in financial and healthcare uses cases needing
regulatory compliance.
D@RE has the following features:
l Supports FIPS-140-2 Level 1 compliance using an AES 256-bit encryption
algorithm.
l Easily enabled through the ECS Portal or ECS REST Management APIs.
l Can be applied at the namespace and bucket level with transitivity.
l Not all buckets or objects need be encrypted within a specific namespace.
l Supports Amazon S3 Server Side Encryption (SSE) constructs which allow for
object encryption and user-supplied keys.
l Each namespace, bucket, and object has an associated key auto-generated at
creation.
l Keys are segregated between namespaces.
l All user data will be encrypted inline before being stored on ECS commodity
drives.
l There is no limit on the number of namespaces and buckets that can be encrypted.

Note

All nodes in the system must be running ECS Version 2.2 or greater to enable D@RE
server-side encryption.

Note

The ECS D@RE implementation encrypts all customer data that resides on the
storage system including any user metadata (applicable to S3 and Swift users)
associated with objects. System metadata such as timestamps, object location
information, access control lists, object and bucket names are not included in the
scope of data-at-rest encryption. Names of objects and buckets are excluded from
D@RE because their encryption would impact indexing of the data, which is required
for object listing and prefix-based operations in ECS.

20 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

Note

Using encryption with metadata search: When encryption is used on a bucket, object
metadata keys that are indexed are stored in non-encrypted form, so it is always
possible to perform metadata searches on encrypted buckets. Where the encryption
was performed using system-supplied keys, the object metadata returned by a query
will be decrypted and shown in text form. However, if the data was encrypted using a
user-supplied encryption key, metadata that is not indexed will still be encrypted when
returned by a metadata search query as the user encrypted keys cannot be provided
via the query.

Licensing
ECS Software distribution is available in two forms: one with D@RE and one without.
EMC recommends all users have the ECS software with D@RE except where D@RE is
not lawful. For customers who should have access to D@RE, the ECS license file will
also include D@RE. Wen this license is applied to the appropriate ECS Software
distribution, the feature will be initialized and available.

Note

D@RE feature controls in the ECS Portal are visible and enabled only if:
l ECS Software with D@RE is installed
l The license file applied to the ECS Software includes D@RE support
l All nodes are running ECS Version 2.2 or greater.
Similarly, the above criteria must be met to use D@RE related ECS Management APIs.

ECS Portal support

The Create Namespace and Create Bucket pages include a Server Side Encryption
On/Off control. Server-side encryption can only be enabled during namespace or
bucket creation and cannot be enabled or disabled later.
ECS Management API support
Enable encryption using the following ECS Management APIs:
l object_bucket_create with the <is_encryption_enabled>true</
is_encryption_enabled> parameter
l object_namespace_create with the <is_encryption_enabled>true</
is_encryption_enabled> parameter
The following example shows an object_bucket_create example:

>POST /object/bucket HTTP/1.1

> "<object_bucket_create> <name>bucket_for_test</name>
<vpool>urn:storageos:ReplicationGroupInfo:b3bf2d47-d732-457c-bb9b-
d260eb53a76b:global</vpool>
<filesystem_enabled>false</filesystem_enabled> <head_type>s3</
head_type> <namespace>s3</namespace>
<is_encryption_enabled>true</is_encryption_enabled>
<is_stale_allowed>false</is_stale_allowed> <retention>100</
retention> </object_bucket_create>

Encryption cannot be enabled or disabled on an existing bucket.

Data at Rest Encryption (D@RE) 21

Security Configuration Settings

Get bucket or namespace info to check encryption state. Example:

> GET /object/bucket/bucket_for_test/info?namespace=s3 HTTP/1.1>

User-Agent: curl/7.28.1
> Host: somehost.emc.com:4443
<?xml version="1.0" encoding="UTF-8" standalone="yes"?
><bucket_info><name>bucket_for_test</name>
<api_type>S3</api_type><block_size>-1</block_size><owner>root</
owner>
<compliance_enabled>false</
compliance_enabled><created>2015-10-22T21:14:52.440Z</created>
default_group_dir_read_permission>
<default_group_dir_write_permission>false</
default_group_dir_write_permission>
<default_group_file_execute_permission>false</
default_group_file_execute_permission>
<default_group_file_read_permission>false</
default_group_file_read_permission>
<default_group_file_write_permission>false</
default_group_file_write_permission>
<default_retention>100</default_retention><fs_access_enabled>false</
fs_access_enabled>
<is_encryption_enabled>true</is_encryption_enabled>
<is_stale_allowed>false</is_stale_allowed><locked>false</locked>
<search_metadata><search_enabled>false</search_enabled></
search_metadata>

S3 API support for D@RE includes these object-level encryption abilities:

l Create an S3 bucket with encryption enabled
l Create, update, or read an encrypted object with a system-generated key
l Create, update, or read an encrypted object with a user-supplied key
l Check the GETresponse to see the encryption status
Example with user-supplied key:

> PUT /foobucket/fooobject HTTP/1.1

> User-Agent: curl/7.28.1
>Host: somehost.emc.com:9021
> Authorization: AWS user1:rYXxrNSrIW2d+apG3MjU4sAAzVs
> x-amz-server-side-encryption:AES256
>Content-Length: 15536

> PUT /foobucket/fooobject HTTP/1.1

> User-Agent: curl/7.28.1
>Host: somehost.emc.com:9021
>x-amz-server-side-encryption-customer-algorithm:AES256
> x-amz-server-side-encryption-customer-key-MD5:w79dwNhAgGtXei9fHOb
+Gw==
> Content-Length: 15536
> Expect: 100-continue

Key management
There are two types of keys:
l User-supplied keys with the S3 API headers
l Randomly generated, hierarchically structured system keys
With the S3 API, encryption keys can be specified in the header. If the encryption
header has the key provided, then encryption of the object is done with the user-
supplied key. ECS validates that the key provided for update, appends, and reads is
the same as the key used for object creation. If the encryption header does not

22 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

provide a key and the object still requires encryption, then ECS uses a system-
generated key to encrypt the data.
System-generated keys at each level are auto-generated and encrypted using the key
of its immediate parent. The master key is encrypted by utilizing asymmetric public-
private encryption in which both the public and private keys are used to encrypt and
decrypt the master key.

Note

D@RE does not restrict caching of unencrypted encryption keys in memory, but
ensures that plain text keys are never persisted on disk.

System-generated keys at each level are auto-generated and encrypted using the key
of its immediate parent. The master key is encrypted by utilizing asymmetric public-
private encryption. The public and private keys are used to encrypt and decrypt the
master key. Keys are generated and encrypted in a hierarchical order:
l Public-Private Key pair – a pair of public-private keys generated for each ECS
system. The private key is stored in the system root disk of the node and the
public key is stored with the master key on the ECS commodity disks.
l Master Key – randomly generated key encrypted using the public key.
l Namespace Key – randomly generated namespace key encrypted using the master
key.
l Bucket Key – randomly generated bucket key encrypted using the namespace key.
l Object Key – randomly generated object key encrypted using the bucket key and
object id.
The private key for decryption of master key is stored on system disks (managed by
vNest) and the other encrypted keys are stored in logical tables and in chunks, similar
to data. They are also triple-mirrored, like data. When an object read or write request
comes in, the node servicing the request traverses the key hierarchy to encrypt or
decrypt the object. It uses the private key that’s common to all nodes to decrypt the
master key. Figure 24 provides a pictorial view of the key hierarchy.

Data at Rest Encryption (D@RE) 23

Security Configuration Settings

Figure 2 Data Encryption Using System Generated Keys

In a geo-replicated environment:
l A system being added to form or extend a federation generates public/private
keys to use for encryption/decryption of the federation's master key.
l Upon federation, ECS extracts the master key on the original system using the
private key of that system.
l ECS encrypts the master key using the public key generated by the new system
and shares it with the new system.
l The master key is now global and known to both systems within the federation.
In a geo-replicated environment , when a new ECS system joins an existing system
(referred to as a federation) , the master key is extracted using the public-private key
of the existing system and encrypted using the new public-private key pair generated
from the new system that joined the federation. From this point on, the master key is
global and known to both systems within the federation. In Figure 25, the ECS system
labeled VDC 2 joins the federation and the master key of VDC 1 (the existing system)
is extracted and passed to VDC 2 for encryption with the public-private key randomly
generated by VDC 2.

24 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide

 Security Configuration Settings

Figure 3 Encryption of the Master Key in a Geo-replicated Environment

Data at Rest Encryption (D@RE) 25

Security Configuration Settings

26 Elastic Cloud Storage (ECS) 3.0 Security Configuration Guide