同步操作将从 Juicedata/JuiceFS 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
JuiceFS encrypts data when transmitted across networks to protect against eavesdropping of network traffic by unauthorized users.
For the data uploaded to object storage services, JuiceFS client will always use HTTPS except for the following scenarios:
JuiceFS supports data encryption at rest, i.e. data is encrypted before uploading to object storage. In this case, the data stored in object storage will be encrypted which prevents data breach effectively when object storage itself is compromised.
Industry standard encryption (AES-GCM and RSA) is leveraged by JuiceFS in client side encryption. The encryption and decryption are carried out in JuiceFS client. The only thing users need to do is to provide a private key or passphrase during JuiceFS mount and use it like an ordinary file system. It is completedly transparent to the applications.
Note: The data cached in the client side is NOT encrypted. Nevertheless, it is only accessible by root or the owner. If you want to encrypt the cached data as well, you can put the cache directory in an encrypted file system or block storage.
A global RSA key M must be created for each encrypted file system. Every object stored in the object storage will have its own random symmetric key S. The data is encrypted using AES-GCM with the symmetric key S, S is encrypted using the global RSA key M, and the RSA key is encrypted with the passphrase specified by the user.
The detailed procedure for data encryption is as following:
The steps for data decryption are as following:
The safety of RSA key is extremely important when encryption is enabled. If the key is leaked, it may result in data leakage. If the key is lost, then all encrypted data will be lost and it is unrecoverable.
When a new volume is created using juicefs format
, encryption at-rest can be
enabled by specifying a RSA private key using --encrypt-rsa-key
, then the
private key will be saved into Redis. When the private key is protected by a
passphrase, it could be specified using enviroment virable JFS_RSA_PASSPHRASE
.
Usage:
$ openssl genrsa -out my-priv-key.pem -aes256 2048
$ juicefs format --encrypt-rsa-key my-priv-key.pem REDIS-URI NAME
Note: If the private key is protected by a passphrase, it should be
specified using JFS_RSA_PASSPHRASE
for juicefs mount
.
TLS, HTTPS and AES-256 are implemented very efficiently in modern CPU. Therefore, enabling encryption has little influence to the performance of the file system. RSA algorithm is relatively slow, especially the decryption procedure. It is recommended to use 2048 bit RSA key in storage encryption. Using 4096 bit key may have significant affect in read performance.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。