Encryption Settings

To upload pre‐created certificates, navigate to the following section:

Configuration > Encryption

You can upload the following types of certificates:

  • Encryption certificate: The encryption certificate is used to encrypt data that is sent to the cloud and decrypt data that is received from the cloud. You can use the default certificate provided by Panzura (not recommended) or use a custom certificate. When a custom certificate is loaded, it is visible in the list of encryption certificates. You can activate the custom certificate by clicking Activate in the Action column.
  • Web certificate: The web certificate is presented when an administrator accesses the node web interface. You can upload a custom certificate to replace the default X.509 PEM web authentication certificate.

The next subsections provide additional information about how certificates are used.

System Management

Web certificates are used when the administrator manages the node via a Web browser. This is a normal HTTPS security mechanism for guaranteeing the authenticity of a remote system, in this case the node. The node ships with a default X.509 PEM web certificate issued and signed by Panzura. You can install a new replacement certificate through the WebUI.

Data Encryption

The encryption certificate is used to encrypt data sent to the cloud and decrypt data that is read from the cloud. Each node ships with a default data encryption certificate (P12 formatted) that is issued and signed by Panzura.

The security WebUI provides administrators with the ability to manage encryption certificates with flexibility, but care must be taken when doing this because nodes are fundamentally designed to share cloud data across multiple nodes, geographies, locations, and groups of users.

After a customer‐issued certificate is loaded, it is displayed in the certificate list. You can select and activate any certificate, as described in this section. The following restrictions apply:

  • All cloud nodes operating in a common single CloudFS must use the same encryption certificate for global read‐write collaboration to operate successfully. Unpredictable data access and client IO experiences can occur if this certificate topology is not implemented.
  • Although multiple encryption certificates can be loaded, each Panzura node uses one active certificate for all data operations. Multiple certificates cannot be active.
  • When a different certificate is activated, the system uses the new active certificate to encrypt all new data while using older certificates, no longer active, to decrypt data that was encrypted with those certificates.
  • You can delete a certificate only if it has never been activated. If the certificate has ever been used it must remain on the node.

node‐to‐node Communication

During normal operation a node will communicate securely with other active nodes within a CloudFS. For security reasons this communication takes place using an SSH key pair. To change this key pair from the default shipped with the node, follow these steps.

  • Perform this procedure during a maintenance window across all nodes, including HA standby.
  • If you use this procedure to change the key, then you must perform step 3 on any new node you add to the CloudFS.
  • To perform this procedure, port 443 must be open between nodes.

Key Management Interoperability Protocol Support

Panzura CloudFS supports Key Management Interoperability Protocol (KMIP). You use a KMIP server to manage KMIP certificates, including those for Panzura nodes. Only Master nodes can interact with a KMIP server.

Communication with the KMIP server requires a mutually authenticated SSL session. You must upload the certificate authority (CA) certificate (the one that signed the KMIP server's server certificate) and client certificate for a KMIP server. Only one certificate of each type can be uploaded.

To upload another certificate, you must delete the certificate of that type that was previously uploaded. After uploading the KMIP related certificates, you can register encryption certificates.

Standard KMIP Port

IANA.org has assigned port 5696 for use by KMIP servers and clients. Your KMIP server documentation will state if it uses a different port number. The EMC RSA Data Protection Manager uses port 443 for KMIP communication.

Installing an Existing Key File (CLI)

If you plan to use an existing key file and want to use the CLI to do so, use the following steps.

  1. Make a note of the IP address of the Master node. In a multi‐master configuration, select a specific Master node to be the designated key master for the purposes of this change. For the purposes of this procedure all other Master nodes are treated the same as Subordinate nodes.
  2. Change the pairing key on the Master node.
  1. Use SSH to log in to the Master node as admin. The cloudfs> prompt appears.
  1. Type enable and enter "enable" as the password, as prompted. The prompt changes to cloudfs#.
    cloudfs> enable
    password: enable
  2. Use the show pairing-key command to display the current pairing signature and then use the regenerate‐pairing‐key command to create the new key. The second show key‐signature command shows that the regenerated key is different from the original key. The value of the key signature can range from 2‐43 characters, depending on the version of software that the node is running.
    cloudfs# show pairing-key
    cloudfs# regenerate-pairing-key
    cloudfs# show key-signature

3. Change the pairing key on all other nodes, including and HA standby nodes.

  1. Use SSH to log in to the Master node as admin. The cloudfs> prompt appears.
  2. Type enable and enter "enable" as the password, as prompted. The prompt changes to cloudfs#.
    cloudfs> enable
    password: enable
  3. Enter the resync‐pairing‐key command to specify the pairing key. Include the IP address of the Master node and the admin password. If your nodes are using valid signed web certificates, use the secure option. If your nodes are using the default unsigned web certificate, use the insecure option.
    cloudfs# resync-pairing-key master-ip-address password secure
    cloudfs# resync-pairing-key master-ip-address password insecure
  4. Run the check‐master‐key‐pair‐sync command to verify that the key on the master and Subordinate nodes are the same.
    If the prompt returns with no output, the command is successful and the keys are identical:
    cloudfs# check-master-key-pair-sync
    If the following error occurs, the sync was unsuccessful and you must rerun the resync‐masterpairing‐key command and then the check‐master‐key‐pair‐sync command:
    ERROR:keysync not done.
  5. Repeat for all remaining Subordinate nodes.

Data Encryption Setting Options

The following table describes the encryption options.

Settings Description
Encryption Settings
Encryption Settings

Click Add to add a certificate. Enter a name to identify the certificate, and click Choose File to find and select the certificate file.

Enter and confirm a passphrase. This is the export password that is assigned when creating the encryption certificate from OpenSSL.

Click Add to make the certificate available for selection.

Authentication Keys

Dynamic Key

Key used by the nodes to communicate among themselves. Enter the key on the key master.

  • On the key master, click Export to export the pairing.key file.
  • On each subordinate in the CloudFS, click Upload to upload the pairing.key file that you exported from the key master.
Web Certificate Settings

Web Certificate

To install a new web certificate, select No custom certificate and then click Choose File. Select a new X.509 PEM certificate, click Upload and then click Activate.

Following upload, the name of the new certificate is shown.

To delete a custom certificate, select it and click Delete.

KMIP Server

Configure connection to a Key Management Interoperability Protocol (KMIP) server and to manage KMIP certificates. (See Key Management Interoperability Protocol Support.)

Specify the following for connection to a KMIP server, and click Save:

  • KMIP Server Host Name: Specify the IP address or hostname of the KMIP server.
  • KMIP Server Port: Specify the port for communication with the KMIP server.
  • KMIP Protocol Type: Select one of the following:
    • binary TTLV (standard KMIP).
    • HTTP TTLV (RSA DPM). If you select this option, a Security Class field is displayed. Copy the security class specified in the EMC RSA Data Protection Manager product and paste it into this field. Note: If you change to a new KMIP server, you need to register all certificates with the new server.
Upload New KMIP Certificates Use this section to upload CA and client certificates (X.509 PEM format). Select the certificate type (CA or Client) and click Choose File to specify the file. Click Upload. Following upload, the certificate is listed in the KMIP Certificates area as "KMIP Server CA Certificate" or "KMIP Client Certificate."
Create and Register Encryption Certificates Click to create and register a certificate. Specify a name for the certificate and click Create and Register. This action creates a self-signed certificate that lasts for five years (RSA 2048-bit encryption). The full certificate name is the hostname of the cloud node with the creation date appended. The created certificate will be registered on the KMIP server.
Retrieve Encryption Certificate from KMIP Server

Specify the certificate and private key name, and click Retrieve to retrieve the certificate from the KMIP server. The certificate is added to the Encryption Certificates list in this section. For example, if you previously registered the certificate mycert, enter mycert-cert and my-cert-key and click Retrieve.

Note: If you have a master-master configuration, any retrieve operation should be done to all masters.


Generating a Self-signed Web Certificate

  1. You can download openssl binaries from http://www.openssl.org/ and install them on Windows or Linux. For Linux, check the distribution for the install package.
  2. Open a command prompt (or terminal if you are using Linux) and issue the following command.

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cc1.pem -out cc1.pem

This will create a certificate named cc1.pem that will be used to upload from the WebUI.

When the certificate is uploaded and activated, the WebUI will refresh with the self-signed certificate.

  1. Click Apply to activate the certificate and deactivate the previously active certificate.

If you already have a certificate signed by a third party to convert into X.509 PEM, open a text editor and paste the keys from the certificates for the certificate chain in the following order, and save as a PEM file.

  1. Private.key
  2. Domain.crt: For domain certificate
  3. Intermediate.crt: For the Intermediate certificate
  4. Root.crt: For the Root certificate

Generating a Self-signed Encryption Certificate

  1. You can download openssl binaries from http://www.openssl.org/ and install them on Windows or Linux. For Linux, check the distribution for the install package.
  2. Use the following command to generate a private key if one does not exist.

# openssl genrsa -des3 -out cloudfs.key 2048

Because keys are sensitive information, make sure you store them carefully and encrypt them using a strong passphrase and cipher. You can use the DES, Triple DES, IDEA, or 128, 192, or 256-bit AES symmetric ciphers by adding des, des3, idea, aes128, aes192, or aes256 flag to the command line. The default is triple DES (des3).

3. To create a self-signed certificate using the private key that you generated, use the following command:

# openssl req -new -x509 -out cloudfs.crt -key cloudfs.key

4. The process prompts you for details to create a Distinguished Name (DN). Some fields have a default value, which you can change as needed. If you enter a period (.), the field is left blank. The default values are read from the openssl.cfg file. For Common Name, specify the fully qualified domain name (FQDN) of the controller, for example, cc.panzura.com. You can leave the email address, optional company name and challenge password fields blank.

Country Name (2 letter code) [US]: US

State or Province Name (full name) []: California

Locality Name (eg, city) []: San Jose

Organization Name (eg, company) []: Panzura Inc

Organizational Unit Name (eg, section) []: Support

Common Name (eg, YOUR name) []: cc.panzura.com

Email Address []:

5. Issue the next command to bundle the p12. The command reads the encoded certificate and key and exports to a single PKCS#12 file. By default, the key will be encrypted with triple DES and you will be prompted for an export password (which may be blank).

# openssl pkcs12 -export -in cloudfs.crt -inkey cloudfs.key -out cloudfs.p12 -name “Friendly Name”

You can concatenate the root certificate and any other certificates in the chain into a single file (for example, root.crt) and included in the PKCS#12 file as follows:

# openssl pkcs12 -export -in cloudfs.crt -inkey cloudfs.key -certfile root.crt -out cloudfs.p12

6. In the node WebUI, click Browse under Encryption Certificates to upload the CC1.p12 file, and then select it. Click Apply to activate the certificate and deactivate the previously active certificate.