LucidLink Filespaces Security Model: https://www.lucidlink.com/wp-content/uploads/LucidLink-Security_Model.pdf 


Firewall configuration:

Encrypted LucidLink client file system data is communicated securely via TCP/IP port 443 directly with the Object Store (Bucket) - using the Object Storage credentials provided. 

All Object Storage transfers are performed through HTTPS with AES-256 end-to-end, client side authenticated encryption through the LucidLink Windows, macOS or Linux client and file system shared secret (password).

LucidLink client communicates with AES-256 encryption via TCP/IP port 443 with our Discovery Service for the purpose of Namespace verification and Metadata co-ordination.


In order for Lucid client to work behind firewall the following outbound connections on port 443 must be enabled:

• LucidLink Filespace service IP address - you need to open a ticket to LucidLink Support team in order to get your filespace service IP address.

• LucidLink discovery service - DNS Record discovery.lucidlink.com (current IP's are 3.87.181.140 and 35.172.3.119).

• Object storage endpoint(s) (standard HTTPS traffic).

 Note: In case of local object storage the inbound traffic on port 443 must also be enabled.


Additionally, we use certificates signed by our internal CA. Some firewalls do SSL decryption. That is a man-in-the-middle attack, by injecting their own CA in the trusted store and using it to impersonate the accessed service. This should be turned off for LucidLink discovery service and LucidLink Filespace service IP.


Note: all data and proprietary metadata of the filespace are client-side encrypted. They never go in decrypted form even in LucidLink internal traffic. LucidLink services have a zero-knowledge policy. Even if a firewall wants to analyze the traffic it will still be encrypted.


LucidLink Services:


Software:

FUSE https://en.wikipedia.org/wiki/Filesystem_in_Userspace must be installed as a dependency on macOS and Linux. Users with strongly secured environments may receive a warning to allow 3rd-party driver installation.

macOS requires kernel extension (KEXT) approval for FUSE for macOS https://osxfuse.github.io/ please see "Filespace fails to mount macOS"

LucidFS is a required driver within a Windows environment and is included within our installation.

LucidLink client REST APIs communicates to the local daemon/service via the default instance TCP/IP port 7778. Should this port be in use the OS client will fail to start, please consult OS client fails to start

Most object storage providers require Transport Layer Security (TLS) 1.1 or greater SSL connections