Avamar 6.x at-rest encryption enabled

Here is a link to an example of what an unencrypted stripe will look like when viewed via the 'strings' command

THe point You mentioned are from Security Guide for Avamar :-)

THis I know, but what I've heared the performance overhead is in real life is higher, especially for the hfscheck and restore operation when every block has to be decrypted before checking.

Also in 6.1 version EMC shifted to AES 128 CFB encryption from blowfish.

If somebody has already gone down that path and could share the knowledge that would be great ;-D

A couple of other practical points to mention:

• Encrypt at rest needs to be configured at system installation time.  It cannot be applied retrospectively.

• Due to the additional overhead incurred by encryption processing during reads & writes there is a performance overhead of around 33%.  To account for this, systems may be configured with a modified diskreadonly limit to ensure that performance remains acceptable as the system operates at higher levels of capacity.  It would be wise to discuss this in more detail with EMC delivery / professional services if you plan on implementing EAR.

Following on from reply #1 it would be great if someone who has access to an encrypted system could add to the thread an example of what an encrypted data stripe looks like when viewed with 'strings'.

Hope that helps..

Encrypt at rest needs to be configured at system installation time.  It cannot be applied retrospectively.

In Avamar 6.1, encrypt at rest can be enabled after the fact but stripes will only be encrypted when they are changed. The software cannot guarantee when (or even if) a stripe will be changed so it is much better to enable encrypt at rest up front.

This information is not available in any publicly facing document so I can't post it here. I don't know if partners have access to the Technical Addendum or if it is strictly an internal document but the commands to modify the encrypt-at-rest settings are in there. If you are not able to access this document through PowerLink or Service Center, you will need to contact support.

How would you go about finding out post-installation if encryption was enabled?  We have a customer with Avamar that was deployed by a partner they no longer use and they are not sure if encryption was enabled or not during installation.

Thanks

Ken

It depends whether the system is running Avamar 6.0 or 6.1. Could you please clarify which version the customer is running?

Customer is running 6.0, but it would be nice to know for both versions.

For systems running 6.0 or older, you will see something like the following if you run avmaint nodelist | grep encrypatrest:

If the "encryptatrest" flag is true for any node, we can guarantee that encrypt at rest is enabled:

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest       encryptatrest="false"       encryptatrest="true"       encryptatrest="false"       encryptatrest="false"

If the flag is false for all nodes, encrypt at rest is probably not enabled but we have seen situations where this test returns a false negative (i.e. encrypt at rest is enabled but the nodelist output reports false for every node). If you need to be 100% sure, support has a test they can run that will confirm for certain whether encrypt at rest is enabled or not.

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest       encryptatrest="false"       encryptatrest="false"       encryptatrest="false"       encryptatrest="false"

For Avamar 6.1, the command changes slightly to avmaint nodelist --xmlperline=99 | grep atrest:

admin@testgrid2:~/>: avmaint nodelist --xmlperline=99 | grep atrest

If encrypt at rest is enabled, the system will report enabled="true" for all the nodes and the number of salts will be non-zero.

Hello Jan,

do I understand right, with Avamar 7 I don´t have to enable encryption at rest at the installation?

I don´t see any setting in the install GUI where I can enable this option.

I have the technical addendum, but there is only described how to enable it after the installation.

While it is now possible to enable encrypt-at-rest post-install in Avamar 7, it still isn't a good idea. Avamar doesn't guarantee that any data already on the system will ever be encrypted if encrypt at rest is enabled later. During the install process you should be prompted for a salt and a password for encrypt-at-rest. If you specify a salt and a password, encrypt-at-rest will be enabled. If you don't, they won't.

Don't forget that encrypt-at-rest comes with an overhead cost.

Can we enable encryption only on one node?

I thought of this as we were checking if encryption is enabled on each node?

This is because we have only one customer asking for this feature out of few. we will let the customer backup to that node only .

I don't think you can do that

No, you definitely can't. Besides, even if you're only allowing the customer to connect to one node, their data is going to end up on all the nodes anyway. The Avamar server automatically distributes the data amongst the data nodes to balance the load.