Created Filer Data Encryption (markdown)

Filer-Data-Encryption.md

@@ -0,0 +1,17 @@
+
+For filer,
+* The metadata is stored in filer store.
+* The actual data is stored in volume servers.
+
+However, there could be many volume servers. And the volumes may be tiered to the cloud. What if there are some security breach?
+
+### Encrypt data on volume servers
+`weed filer -encryptVolumeData` is an option to encrypt the data on volume servers. The encryption key is randomly generated during write time, and is different for different files. The encryption key is stored as metadata in filer store.
+
+So the volume data on the volume servers are encrypted and should be safe. As long as the filer store is not exposed, it is nearly impossible to guess the encryption keys for each file.
+
+### Safely Forget Data
+Another side is, with GDPR, companies are required to "forget" customer data after some time. If the volume data is stored on a glacial storage system, it is cumbersome to dig them out and destroy them. It is much easier to just delete the metadata, and the volume data is automatically "destroyed".
+
+### Note
+The volume servers are agnostic to encryption. There are no encryption if you only use master and volume servers as an object store.