Highlighted
VirtGuy1
1 Nickel

Avamar 6.x at-rest encryption enabled

Can anyone share some knowledge/real combat experience   about the after effects of enabling the at-rest encryption in Avamar 6.0 and 6.1 in the GRID configuration and sigle node server installations.

I'm in a middle of decission if this is worth enabling or not, because customers tend to ask about whether we encrypt at-rest our backups or not.

Thx in advance.

0 Kudos
19 Replies
8 Krypton

Re: Avamar 6.x at-rest encryption enabled

Here is a link to an example of what an unencrypted stripe will look like when viewed via the 'strings' command

0 Kudos
8 Krypton

Re: Avamar 6.x at-rest encryption enabled

A couple of other practical points to mention:

  • Encrypt at rest needs to be configured at system installation time.  It cannot be applied retrospectively.

  • Due to the additional overhead incurred by encryption processing during reads & writes there is a performance overhead of around 33%.  To account for this, systems may be configured with a modified diskreadonly limit to ensure that performance remains acceptable as the system operates at higher levels of capacity.  It would be wise to discuss this in more detail with EMC delivery / professional services if you plan on implementing EAR.

Following on from reply #1 it would be great if someone who has access to an encrypted system could add to the thread an example of what an encrypted data stripe looks like when viewed with 'strings'.

Hope that helps..

0 Kudos
VirtGuy1
1 Nickel

Re: Avamar 6.x at-rest encryption enabled

THe point You mentioned are from Security Guide for Avamar 🙂

THis I know, but what I've heared the performance overhead is in real life is higher, especially for the hfscheck and restore operation when every block has to be decrypted before checking.

Also in 6.1 version EMC shifted to AES 128 CFB encryption from blowfish.

If somebody has already gone down that path and could share the knowledge that would be great ;-D

0 Kudos
8 Krypton

Re: Avamar 6.x at-rest encryption enabled

Encrypt at rest needs to be configured at system installation time.  It cannot be applied retrospectively.

In Avamar 6.1, encrypt at rest can be enabled after the fact but stripes will only be encrypted when they are changed. The software cannot guarantee when (or even if) a stripe will be changed so it is much better to enable encrypt at rest up front.

8 Krypton

Re: Avamar 6.x at-rest encryption enabled

Ian, where can I find out how to enable enable encryption at rest after the initial install ?

0 Kudos
8 Krypton

Re: Avamar 6.x at-rest encryption enabled

This information is not available in any publicly facing document so I can't post it here. I don't know if partners have access to the Technical Addendum or if it is strictly an internal document but the commands to modify the encrypt-at-rest settings are in there. If you are not able to access this document through PowerLink or Service Center, you will need to contact support.

0 Kudos
8 Krypton

Re: Avamar 6.x at-rest encryption enabled

How would you go about finding out post-installation if encryption was enabled?  We have a customer with Avamar that was deployed by a partner they no longer use and they are not sure if encryption was enabled or not during installation.

Thanks

Ken

0 Kudos
8 Krypton

Re: Avamar 6.x at-rest encryption enabled

It depends whether the system is running Avamar 6.0 or 6.1. Could you please clarify which version the customer is running?

0 Kudos
8 Krypton

Re: Avamar 6.x at-rest encryption enabled

Customer is running 6.0, but it would be nice to know for both versions.

0 Kudos