Unsolved
This post is more than 5 years old
6 Posts
0
5058
Avamar 6.x at-rest encryption enabled
Can anyone share some knowledge/real combat experience about the after effects of enabling the at-rest encryption in Avamar 6.0 and 6.1 in the GRID configuration and sigle node server installations.
I'm in a middle of decission if this is worth enabling or not, because customers tend to ask about whether we encrypt at-rest our backups or not.
Thx in advance.
Avamar Exorcist
462 Posts
0
September 18th, 2012 02:00
Here is a link to an example of what an unencrypted stripe will look like when viewed via the 'strings' command
VirtGuy1
6 Posts
0
September 18th, 2012 03:00
THe point You mentioned are from Security Guide for Avamar :-)
THis I know, but what I've heared the performance overhead is in real life is higher, especially for the hfscheck and restore operation when every block has to be decrypted before checking.
Also in 6.1 version EMC shifted to AES 128 CFB encryption from blowfish.
If somebody has already gone down that path and could share the knowledge that would be great ;-D
Avamar Exorcist
462 Posts
0
September 18th, 2012 03:00
A couple of other practical points to mention:
Following on from reply #1 it would be great if someone who has access to an encrypted system could add to the thread an example of what an encrypted data stripe looks like when viewed with 'strings'.
Hope that helps..
ionthegeek
2K Posts
1
September 18th, 2012 07:00
In Avamar 6.1, encrypt at rest can be enabled after the fact but stripes will only be encrypted when they are changed. The software cannot guarantee when (or even if) a stripe will be changed so it is much better to enable encrypt at rest up front.
rob_steele
120 Posts
0
November 26th, 2012 12:00
Ian, where can I find out how to enable enable encryption at rest after the initial install ?
ionthegeek
2K Posts
0
November 26th, 2012 19:00
This information is not available in any publicly facing document so I can't post it here. I don't know if partners have access to the Technical Addendum or if it is strictly an internal document but the commands to modify the encrypt-at-rest settings are in there. If you are not able to access this document through PowerLink or Service Center, you will need to contact support.
kclebak
31 Posts
0
April 16th, 2013 10:00
How would you go about finding out post-installation if encryption was enabled? We have a customer with Avamar that was deployed by a partner they no longer use and they are not sure if encryption was enabled or not during installation.
Thanks
Ken
ionthegeek
2K Posts
0
April 16th, 2013 11:00
It depends whether the system is running Avamar 6.0 or 6.1. Could you please clarify which version the customer is running?
kclebak
31 Posts
0
April 16th, 2013 11:00
Customer is running 6.0, but it would be nice to know for both versions.
ionthegeek
2K Posts
0
April 16th, 2013 11:00
For systems running 6.0 or older, you will see something like the following if you run avmaint nodelist | grep encrypatrest:
If the "encryptatrest" flag is true for any node, we can guarantee that encrypt at rest is enabled:
If the flag is false for all nodes, encrypt at rest is probably not enabled but we have seen situations where this test returns a false negative (i.e. encrypt at rest is enabled but the nodelist output reports false for every node). If you need to be 100% sure, support has a test they can run that will confirm for certain whether encrypt at rest is enabled or not.
For Avamar 6.1, the command changes slightly to avmaint nodelist --xmlperline=99 | grep atrest:
If encrypt at rest is enabled, the system will report enabled="true" for all the nodes and the number of salts will be non-zero.
Druehl1
223 Posts
0
January 15th, 2014 00:00
Hello Jan,
do I understand right, with Avamar 7 I don´t have to enable encryption at rest at the installation?
I don´t see any setting in the install GUI where I can enable this option.
I have the technical addendum, but there is only described how to enable it after the installation.
ionthegeek
2K Posts
0
January 15th, 2014 06:00
While it is now possible to enable encrypt-at-rest post-install in Avamar 7, it still isn't a good idea. Avamar doesn't guarantee that any data already on the system will ever be encrypted if encrypt at rest is enabled later. During the install process you should be prompted for a salt and a password for encrypt-at-rest. If you specify a salt and a password, encrypt-at-rest will be enabled. If you don't, they won't.
Don't forget that encrypt-at-rest comes with an overhead cost.
avmaint
115 Posts
0
January 20th, 2015 03:00
Can we enable encryption only on one node?
I thought of this as we were checking if encryption is enabled on each node?
This is because we have only one customer asking for this feature out of few. we will let the customer backup to that node only .
Nayaks1
77 Posts
0
January 20th, 2015 03:00
I don't think you can do that
ionthegeek
2K Posts
0
January 20th, 2015 06:00
No, you definitely can't. Besides, even if you're only allowing the customer to connect to one node, their data is going to end up on all the nodes anyway. The Avamar server automatically distributes the data amongst the data nodes to balance the load.