End-to-End Encryption

FlexFS Enterprise supports end-to-end (E2E) encryption where data is encrypted on the mount client before it leaves the machine. Neither the metadata server, proxy servers, nor the cloud object storage provider can read the plaintext data.

How it works

Volume creation — encryption is enabled on the volume at creation time (via configure.flexfs or the CSI StorageClass encryption: "true" parameter).
First mount — the user provides an encryption secret (passphrase). FlexFS derives cryptographic keys from this secret and registers a secret ID with the admin server.
Subsequent mounts — the user provides the same encryption secret. FlexFS re-derives the keys and verifies the result matches the stored secret ID.

The encryption secret never leaves the mount client’s memory. The admin server only stores the secret ID (a salted hash), not the secret itself.

Key derivation

FlexFS uses Argon2id to derive a 64-byte key from the user’s encryption secret:

Parameter	Value
Algorithm	Argon2id
Time cost	3 iterations
Memory cost	64 MiB
Parallelism	4 threads
Output length	64 bytes
Salt length	16 bytes (random)

The 64-byte derived key is split into two halves:

First 32 bytes — combined with the salt to form the secret ID, which is stored on the admin server for verification.
Last 32 bytes — used as the AES-256 encryption key for data.

Secret ID format

The secret ID is stored as base64(salt):base64(hash), where the salt is the random 16-byte value generated on first mount and the hash is the first 32 bytes of the Argon2id output. On subsequent mounts, the salt is extracted from the stored secret ID to re-derive the same keys.

What is encrypted

Data	Encryption	Cipher
File content blocks	AES-256	Applied before upload to object storage
Metadata fields	AES-256-GCM	Encrypted on the mount client before sending to the metadata server

Both block data and metadata are encrypted client-side, ensuring true end-to-end encryption.

Encryption secret requirements

Minimum length: 8 characters
All mounts of the same volume must use the same encryption secret
The secret can be provided interactively (prompted at mount time) or via the credentials file (secret field)

Setting up encryption

During volume creation

Using configure.flexfs:

create volume --name my-encrypted-volume --metaStoreID 1 --blockStoreID 1 --encryption

Using the CSI driver StorageClass:

parameters:
  encryption: "true"

First mount

On the first mount of an encrypted volume, you will be prompted for the encryption secret:

*********************
End-to-end encryption
*********************
This volume's settings specify that end-to-end encryption be used, but
an encryption secret has not yet been provided. Let's set one up now.

Notes:
  * Your encryption secret never leaves the memory of this client.
  * Be sure to store your encryption secret safely and securely.
  * You must provide the same encryption secret for all mounts.
  * Losing your encryption secret will result in unreadable data.

Volume secret:

Alternatively, provide the secret in the credentials file:

adminAddr = "admin.example.com:443"
token = "$TOKEN"
secret = "$SECRET"

Subsequent mounts

On subsequent mounts, you will be prompted:

*********************
End-to-end encryption
*********************
This volume is configured to use end-to-end encryption.
Please provide the matching encryption secret below.

Volume secret:

If the provided secret does not match the registered secret ID, the mount will fail with:

Error: incorrect volume secret

Combining with server-side encryption

E2E encryption and server-side encryption (SSE) can be used simultaneously. In this case, data is first encrypted client-side by flexFS (AES-256), then encrypted again server-side by the object storage provider (SSE). This provides defense in depth.

Next steps

Server-side encryption — S3 SSE via --sse
Authentication — token model
Access Control — POSIX permissions and ACLs