LucidLink Filespaces Security Model: https://www.lucidlink.com/wp-content/uploads/LucidLink-Security_Model.pdf
Firewall configuration:
Encrypted LucidLink client filesystem data is communicated securely with our service via Transmission Control Protocol/Internet Protocol (TCP/IP) port 443 and the Object Store (S3 compatible Bucket or Azure Container) using the Object Storage credentials provided.
All Object Storage transfers are performed with Advanced Encryption Standard (AES-256) end-to-end, client-side authenticated encryption through the LucidLink Windows, macOS or Linux client and Filespace user access controlled filesystem credentials.
LucidLink client communicates with AES-256 encryption via TCP/IP port 443 with our Discovery Service for the purpose of Namespace verification and Metadata coordination.
In order for LucidLink client to work behind a firewall the following outbound connections on port 443 must be enabled:
- LucidLink Filespace service IP address - you need to open a ticket to LucidLink Support team in order to get your Filespace service IP address or identified within the
Lucid.log
as the Internet routableServer data endpoint
.
All Filespace service IP addresses are unique to each individual filespace.
LucidLink makes all efforts to ensure this Filespace service IP address will not change however in some circumstances during maintenance by our various cloud infrastructure partners and providers the service IP might change.
The filespace ID, as the fully qualified domain name (FQDN) (filespaceID.fs.lucidlink.com
) within the firewall may be required.
- LucidLink discovery service - DNS Record
discovery-service.lucidlink.com
.
Whitelisting by the FQDN is recommended, as the IP address of this service can change. - Object storage endpoint(s) TCP/IP typically port 443 standard HTTPS traffic or as per the Filespace endpoint specified during initialization.
- LucidLink web service -
api.lucidlink.com
.
Additionally, we use certificates signed by our internal certificate authority (CA).
Some firewalls do Secure Sockets Layer (SSL) decryption (aka Deep Packet Inspection (DPI) or SSL Certificate Inspection). This is interpreted as a man-in-the-middle attack, by injecting their own CA in the trusted store and using it to impersonate the accessed service.
This should be turned off for LucidLink discovery service and LucidLink Filespace service IP and the filespace.domain
name as a fully FQDN or resolvable FQDN.
In case of local object storage the inbound traffic on port the Filespace was initialized must also be enabled. All data and proprietary metadata of the Filespace are client-side encrypted. They never go in decrypted form even in LucidLink internal traffic. LucidLink services have a zero-knowledge policy. Even if a firewall wants to analyze the traffic it will still be encrypted.
Software:
FUSE https://en.wikipedia.org/wiki/Filesystem_in_Userspace will be installed as a dependency on Linux.
LucidFS is a required driver within a Windows and macOS environment and is included within our installation.
Most object storage providers require Transport Layer Security (TLS) 1.1 or greater SSL connections