update: encryption docs

Signed-off-by: hyponet <[email protected]>
basenana · Jul 1, 2023 · c81c6cd · c81c6cd
1 parent c8f28b3
commit c81c6cd
Show file tree

Hide file tree

Showing 2 changed files with 91 additions and 0 deletions.
diff --git a/docs/usage.md b/docs/usage.md
@@ -222,6 +222,54 @@ configuration, the data in NanaFS is stored in the remote storage system via the
 }
 ```
 
+### Encryption
+
+Notice:
+
+1. After enabling encryption, please keep the secret key safe, the loss of the key will make the data unreadable.
+2. It is not supported to modify the secret key in the configuration file. If you need to modify the key, you need to
+   add a new storage and migrate data by file copy.
+
+NanaFS supports the encryption of chunk pages stored on the cloud. If the encryption option is enabled, data caching and
+transmission will use encrypted pages.
+Currently only AES symmetric encryption is supported, and a random encryption key can be generated by the following
+command:
+
+```bash
+openssl rand -hex 16
+```
+
+There are two ways to enable chunk page encryption.
+The first is to use the `global_encryption` in the configuration to enable global encryption:
+
+```json
+{
+  "global_encryption": {
+    "enable": true,
+    "method": "AES",
+    "secret_key": "<secret_key>"
+  }
+}
+```
+
+The second way is to only encrypt the chunk page stored in a certain storage.
+When `global_encryption` and `storages.encryption` are configured at the same time, it will be used storage's own
+encryption configuration:
+
+```json
+{
+  "storages": [
+    {
+      "encryption": {
+        "enable": true,
+        "method": "AES",
+        "secret_key": "<secret_key>"
+      }
+    }
+  ]
+}
+```
+
 ## Deployment
 
 ### Systemd

diff --git a/docs/usage_zh.md b/docs/usage_zh.md
@@ -211,6 +211,49 @@ Bucket 中。
 }
 ```
 
+### 数据块加密
+
+注意事项：
+
+1. 开启加密后，请妥善保管密钥，密钥遗失会导致数据不可读
+2. 不支持在配置文件修改密钥，如果需要修改密钥，需要新增一个新的 storage，并通过文件拷贝的方式迁移
+
+NanaFS 支持将存储到云上的数据块加密，如果开启了加密选项，数据缓存和传输均是使用加密后的数据块。
+当前仅支持 AES 对称加密，可以通过下述命令生成一个随机的加密密钥：
+
+```bash
+openssl rand -hex 16
+```
+
+开启数据块加密有两种方式，第一种是全局的加密开启，在配置中的 `global_encryption` 项可以进行如下配置：
+
+```json
+{
+  "global_encryption": {
+    "enable": true,
+    "method": "AES",
+    "secret_key": "<secret_key>"
+  }
+}
+```
+
+第二种方式是仅对某个 storage 存储的数据进行加密，当同时配置了 `global_encryption` 和 `storages.encryption` 时，会优先使用
+storage 自己的加密配置：
+
+```json
+{
+  "storages": [
+    {
+      "encryption": {
+        "enable": true,
+        "method": "AES",
+        "secret_key": "<secret_key>"
+      }
+    }
+  ]
+}
+```
+
 ## Deployment
 
 ### Systemd