Can anyone share some knowledge/real combat experience about the after effects of enabling the at-rest encryption in Avamar 6.0 and 6.1 in the GRID configuration and sigle node server installations.
I'm in a middle of decission if this is worth enabling or not, because customers tend to ask about whether we encrypt at-rest our backups or not.
Thx in advance.
A couple of other practical points to mention:
Following on from reply #1 it would be great if someone who has access to an encrypted system could add to the thread an example of what an encrypted data stripe looks like when viewed with 'strings'.
Hope that helps..
THe point You mentioned are from Security Guide for Avamar 🙂
THis I know, but what I've heared the performance overhead is in real life is higher, especially for the hfscheck and restore operation when every block has to be decrypted before checking.
Also in 6.1 version EMC shifted to AES 128 CFB encryption from blowfish.
If somebody has already gone down that path and could share the knowledge that would be great ;-D
Encrypt at rest needs to be configured at system installation time. It cannot be applied retrospectively.
In Avamar 6.1, encrypt at rest can be enabled after the fact but stripes will only be encrypted when they are changed. The software cannot guarantee when (or even if) a stripe will be changed so it is much better to enable encrypt at rest up front.
This information is not available in any publicly facing document so I can't post it here. I don't know if partners have access to the Technical Addendum or if it is strictly an internal document but the commands to modify the encrypt-at-rest settings are in there. If you are not able to access this document through PowerLink or Service Center, you will need to contact support.
How would you go about finding out post-installation if encryption was enabled? We have a customer with Avamar that was deployed by a partner they no longer use and they are not sure if encryption was enabled or not during installation.