LucidLink Filespaces Security Model: https://www.lucidlink.com/wp-content/uploads/LucidLink-Security_Model.pdf
Encrypted LucidLink client filesystem data is communicated securely with our service via Transmission Control Protocol/Internet Protocol (TCP/IP) port 443 and the Object Store (S3 compatible Bucket or Azure Container) using the Object Storage credentials provided.
All Object Storage transfers are performed with Advanced Encryption Standard (AES-256) end-to-end, client-side authenticated encryption through the LucidLink Windows, macOS or Linux client and Filespace user access controlled filesystem credentials.
LucidLink client communicates with AES-256 encryption via TCP/IP port 443 with our Discovery Service for the purpose of Namespace verification and Metadata coordination.
In order for LucidLink client to work behind a firewall the following outbound connections on port 443 must be enabled:
• LucidLink Filespace service IP address - you need to open a ticket to LucidLink Support team in order to get your Filespace service IP address or identified within the
Lucid.log as the Internet routable
Server data endpoint.
All Filespace service IP addresses are unique to each individual Filespace.
LucidLink makes all efforts to ensure this Filespace service IP address will not change however in some circumstances during maintenance by our various cloud infrastructure partners and providers the service IP might change.
In certain situations the
filespace.domain name as the fully qualified domain name (FQDN) within the firewall maybe required. It might be necessary in certain environments that a reverse resolvable FQDN or Server Name Indication (SNI) is required, please reach out to our Support team.
• LucidLink discovery service - DNS Record
discovery.lucidlink.com (current IP's are
• Object storage endpoint(s) TCP/IP typically port 443 standard HTTPS traffic or as per the Filespace endpoint specified during initialization.
Additionally, we use certificates signed by our internal certificate authority (CA).
Some firewalls do Secure Sockets Layer (SSL) decryption (aka Deep Packet Inspection (DPI) or SSL Certificate Inspection). This is interpreted as a man-in-the-middle attack, by injecting their own CA in the trusted store and using it to impersonate the accessed service.
This should be turned off for LucidLink discovery service and LucidLink Filespace service IP and the
filespace.domain name as a fully FQDN or resolvable FQDN.
Note: In case of local object storage the inbound traffic on port the Filespace was initialized must also be enabled. All data and proprietary metadata of the Filespace are client-side encrypted. They never go in decrypted form even in LucidLink internal traffic. LucidLink services have a zero-knowledge policy. Even if a firewall wants to analyze the traffic it will still be encrypted.
FUSE https://en.wikipedia.org/wiki/Filesystem_in_Userspace will be installed as a dependency on macOS and Linux. Users with strongly secured environments may receive a warning to allow 3rd-party driver installation.
macOS requires LucidFS (Team ID "3T5GSNBU6W" Bundle ID "com.lucidlink.lucidfs.filesystems.lucidfs") kernel extension (KEXT) approval for macOS please see "Filespace fails to mount macOS"
LucidFS is a required driver within a Windows environment and is included within our installation.
LucidLink client REST APIs communicates to the local daemon/service via the default instance TCP/IP port 7778. Should this port be in use the OS client will fail to start, please consult OS client fails to start
Most object storage providers require Transport Layer Security (TLS) 1.1 or greater SSL connections