DAOS_ENCRYPT_NLO – enables encryption of external DAOS NLO files

🛠️

Parameter: DAOS_ENCRYPT_NLO

Short description: Enables encryption of externalized DAOS NLO files at the file system level.

Profile

Parameter	`DAOS_ENCRYPT_NLO`
Category	DAOS
Component	Server
Available since	10.0
Supported versions	10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1
GUI equivalent	Server document (Transactional Logging → DAOS)
Possible values	0 = off (default), 1 = store NLOs AES-encrypted

Description

DAOS stores attachments larger than DAOS_MIN_OBJ_SIZE as external *.nlo files in the DAOS path. By default, the NLOs are unencrypted at the file system level – anyone with access to the path can read them as ordinary files.

With DAOS_ENCRYPT_NLO=1, all newly written NLOs are additionally stored AES-encrypted. A mandatory setting for GDPR/compliance requirements, especially when DAOS storage resides on SAN/NAS.

Example configuration


DAOS_ENCRYPT_NLO=1

Notes & pitfalls

Existing NLOs are not encrypted retroactively – use tell daosmgr resync with rewriting or re-consolidate from the NSF side.

The key is bound to the server master key – ensure emergency access via the ID Vault.

Low CPU overhead on read/write – in practice hardly measurable.

Complements Create_AES_Databases=2 for end-to-end encryption.

The change takes effect only after a server restart.