Encryption at Rest Policy Examples

This section provides policy examples for enabling encryption at rest.

Policy requirements for encryption at rest

Policy is NOT required to use encryption at rest. However, you can use policy to automate the enforcement of encryption for jobs and supported service providers (NFS and SMB).

You use the claim type and name initial.params "encrypt" to enforce application data encryption, both local and remote.

This claim can be used on the job::/ realm for enforcing encryption of local (ephemeral) application data and on the service::/ realm for enforcing encryption of remote data stored using APCFS or SMB services.

Note that, as the claim name indicates (initial.params), application data encryption can only be enforced using policy at job or service creation time, not on job/service update.

Job encryption example

The following policy would encrypt local application data for all jobs in the /test namespace:

on job::/test {
  { initial.params "encrypt" }
}

Service encryption examples

The following example would encrypt data written to the APCFS persistent store for the named service:

on service::/services/storage/nfs::myapcfs-service {
  { initial.params "encrypt" }
}

Similarly, the following example would encrypt data written to the SMB persistent store for the named service:

on service::/services/storage/smb::mysmb-service {
  { initial.params "encrypt" }
}

In 3.2.0, the value of the encrypt parameter is automatically exported from the API when viewing service information. Prior to 3.2.0 policy must be manually adjusted to allow that parameter to be seen:

on gateway::/apcera/service-gateways::nfs {
  { permit use }
  { serviceParam encrypt }
}
on gateway::/apcera/service-gateways::nfs {
  { permit use }
  { serviceParam encrypt }
}

To avoid potentially mixing encrypted and unencrypted data, service encryption policy does NOT apply to shared NFS or SMB provider connections where multiple jobs are sharing storage via the same service. If the storage is shared, enabling EncFS encryption will have no effect (the data is not encrypted).