Fortinet black logo

Administration Guide

Home FortiAnalyzer BigData 7.2.6 Administration Guide
7.2.6
7.4.0
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.1
6.4.6
6.4.5
6.2.5
6.2.1

Data-at-rest encryption on FortiAnalyzer-BigData 4500F

Data-at-rest encryption on FortiAnalyzer-BigData 4500F

The FortiAnalyzer-BigData 4500F offers data-at-rest encryption support to enhance the security of log data stored in the system. By leveraging Linux Unified Key Setup (LUKS) and dm-crypt, it encrypts all data disk partitions on the cluster hosts while no changes are required on the application logic or schema. This ensures that the log data remains protected and inaccessible even if unauthorized access to the physical storage is obtained. This encryption is managed through a cluster-level passphrase that provides consistency and simplifies administration.

Consider the following limitations to make an informed decision regarding the implementation of data-at-rest encryption in your FortiAnalyzer-BigData 4500F:

  • The Main host blade does not undergo encryption, which means that raw logs may be buffered in the FAZ blade for a short period.

  • Only the data disks of the Security Event Manager cluster hosts can be encrypted. The OS boot drive, which solely contains binaries, scripts, and server logs, is not encrypted.

  • Enabling encryption necessitates re-formatting of the partitions. This process can only be performed during a fresh installation or a hard reset.

  • No reversal of encryption once enabled. Once encryption is enabled, there is no way to revert it unless a factory reset is performed.

Caution

We strongly suggest you save the passphrase in a secure place. If the passphrase is lost and the encrypted volume is inactive (luks closed), data in the encrypted volumes will no longer be accessible.

Note

Enabling data-at-rest encryption may lead to a performance degradation: a 17% slower disk I/O performance based on our lab test. However, the overall impact on performance may not be significant (< 10%) as most workloads are not heavily dependent on disk I/O.

Previous
Next

Data-at-rest encryption on FortiAnalyzer-BigData 4500F

The FortiAnalyzer-BigData 4500F offers data-at-rest encryption support to enhance the security of log data stored in the system. By leveraging Linux Unified Key Setup (LUKS) and dm-crypt, it encrypts all data disk partitions on the cluster hosts while no changes are required on the application logic or schema. This ensures that the log data remains protected and inaccessible even if unauthorized access to the physical storage is obtained. This encryption is managed through a cluster-level passphrase that provides consistency and simplifies administration.

Consider the following limitations to make an informed decision regarding the implementation of data-at-rest encryption in your FortiAnalyzer-BigData 4500F:

  • The Main host blade does not undergo encryption, which means that raw logs may be buffered in the FAZ blade for a short period.

  • Only the data disks of the Security Event Manager cluster hosts can be encrypted. The OS boot drive, which solely contains binaries, scripts, and server logs, is not encrypted.

  • Enabling encryption necessitates re-formatting of the partitions. This process can only be performed during a fresh installation or a hard reset.

  • No reversal of encryption once enabled. Once encryption is enabled, there is no way to revert it unless a factory reset is performed.

Caution

We strongly suggest you save the passphrase in a secure place. If the passphrase is lost and the encrypted volume is inactive (luks closed), data in the encrypted volumes will no longer be accessible.

Note

Enabling data-at-rest encryption may lead to a performance degradation: a 17% slower disk I/O performance based on our lab test. However, the overall impact on performance may not be significant (< 10%) as most workloads are not heavily dependent on disk I/O.

Previous
Next