Securing your data in File Storage for Classic

IBM Cloud® takes the need for security seriously, and understands the importance of being able to encrypt data to keep it safe. With provider-managed encryption, IBM Cloud® File Storage for Classic that is provisioned with either Endurance or Performance options, is secured by default at no additional cost and no impact on performance.

The provider-managed encryption-at-rest feature uses the following industry standard protocols:

Industry-Standard AES-256 encryption.
Keys are managed in-house with industry standard Key Management Interoperability Protocol (KMIP).
Storage is validated for US Federal Information Processing Standard (FIPS) Publication 140-2, Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA). Storage is also validated for Payment Card Industry (PCI), Basel II, California Security Breach Information Act (SB 1386), and EU General Data Protection Regulation (GDPR) compliance.

Securing your snapshots or replicated storage

All snapshots and replicas of encrypted File Storage are also encrypted by default. This feature can’t be turned off on a volume basis. All cluster-to-cluster traffic is encrypted with TLS.

Provisioning storage with encryption

The provider-managed encryption-at-rest feature is available in all data centers. All storage that is ordered in these data centers is automatically provisioned with encryption for data-at-rest.

When you order File Storage for Classic, select a data center that is marked with an asterisk (*). You can see a lock icon next to the Volume Name field that indicates that the volume is encrypted. See Figure 1.

Figure 1. Example of the lock icon that indicates that the volume is encrypted.

Any nonencrypted storage that was provisioned before a data center upgrade is not automatically encrypted. If you own nonencrypted storage in an upgraded data center and you want to have it encrypted, you need to create a volume and move your data. For more information, see File Storage Migration in Upgraded Data Centers.

Deleting File Storage for Classic instances

If you no longer need a specific volume, you can cancel that storage. File Storage for Classic presents file shares to customers on physical storage that is wiped before any reuse. For more information, see the FAQs.

Customers with special requirements for compliance such as NIST 800-88 Guidelines for Media Sanitization can perform the data sanitization procedure before they delete their storage.

To cancel a storage volume, you need to revoke access from any hosts first. Active replicas and dependent duplicates can also block reclamation of the Storage volume. Make sure that the volume is no longer mounted, host authorizations are revoked, replication is canceled, and no dependent duplicates exist before you attempt to cancel the original volume.

Go to the IBM Cloud® console. From the menu, select Classic Infrastructure .
Click Storage > File Storage for Classic.
Click Actions for the volume to be canceled, and select Delete File Storage for Classic.
Confirm if you want to cancel the volume immediately or on the anniversary date of when the volume was provisioned.

If you select the option to cancel the volume on its anniversary date, you can void the cancellation request before its anniversary date.
Click Continue.
Click the acknowledgment checkbox, and click Confirm.

When the volume is deleted, the request is followed by a 24-hour reclaim wait period. You can still see the volume in the console during those 24 hours. When the reclaim-period expires, the data is destroyed and the volume is removed from the console, too. However, billing for the volume stops immediately. For more information, see the FAQs.

After the Storage LUN is reclaimed, the disk is wiped, and data can't be restored. When drives are decommissioned in a data center, IBM destroys them before they are disposed of. The drives become unusable. Any data that was written to that drive becomes inaccessible.