ionthegeek
4 Beryllium

Re: Re: Avamar 6.x at-rest encryption enabled

For systems running 6.0 or older, you will see something like the following if you run avmaint nodelist | grep encrypatrest:

If the "encryptatrest" flag is true for any node, we can guarantee that encrypt at rest is enabled:

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest

      encryptatrest="false"

      encryptatrest="true"

      encryptatrest="false"

      encryptatrest="false"

If the flag is false for all nodes, encrypt at rest is probably not enabled but we have seen situations where this test returns a false negative (i.e. encrypt at rest is enabled but the nodelist output reports false for every node). If you need to be 100% sure, support has a test they can run that will confirm for certain whether encrypt at rest is enabled or not.

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest

      encryptatrest="false"

      encryptatrest="false"

      encryptatrest="false"

      encryptatrest="false"

For Avamar 6.1, the command changes slightly to avmaint nodelist --xmlperline=99 | grep atrest:

admin@testgrid2:~/>: avmaint nodelist --xmlperline=99 | grep atrest

    <atrestencryption-status enabled="false" nr-salts="0"/>

    <atrestencryption-status enabled="false" nr-salts="0"/>

    <atrestencryption-status enabled="false" nr-salts="0"/>

    <atrestencryption-status enabled="false" nr-salts="0"/>

If encrypt at rest is enabled, the system will report enabled="true" for all the nodes and the number of salts will be non-zero.

0 Kudos
Druehl1
3 Argentium

Re: Avamar 6.x at-rest encryption enabled

Hello Jan,

do I understand right, with Avamar 7 I don´t have to enable encryption at rest at the installation?

I don´t see any setting in the install GUI where I can enable this option.

I have the technical addendum, but there is only described how to enable it after the installation.

0 Kudos
ionthegeek
4 Beryllium

Re: Avamar 6.x at-rest encryption enabled

While it is now possible to enable encrypt-at-rest post-install in Avamar 7, it still isn't a good idea. Avamar doesn't guarantee that any data already on the system will ever be encrypted if encrypt at rest is enabled later. During the install process you should be prompted for a salt and a password for encrypt-at-rest. If you specify a salt and a password, encrypt-at-rest will be enabled. If you don't, they won't.

Don't forget that encrypt-at-rest comes with an overhead cost.

0 Kudos
avmaint
3 Argentium

Re: Avamar 6.x at-rest encryption enabled

Can we enable encryption only on one node?

I thought of this as we were checking if encryption is enabled on each node?

This is because we have only one customer asking for this feature out of few. we will let the customer backup to that node only .

0 Kudos
Nayaks1
2 Iron

Re: Avamar 6.x at-rest encryption enabled

I don't think you can do that

0 Kudos
ionthegeek
4 Beryllium

Re: Avamar 6.x at-rest encryption enabled

No, you definitely can't. Besides, even if you're only allowing the customer to connect to one node, their data is going to end up on all the nodes anyway. The Avamar server automatically distributes the data amongst the data nodes to balance the load.

0 Kudos
avmaint
3 Argentium

Re: Avamar 6.x at-rest encryption enabled

I do understand this as Avamar is RAIN architecture. But by limiting customer's servers to write backups to a single node we are enforcing other customer's backups . We have only one customer who is PCI compliant.

As EMC Avamar supports BAAS this feature should be incorporated at plugin level while installing the avamar backup agent, so that the option takes care of encrypting.

0 Kudos
Nayaks1
2 Iron

Re: Avamar 6.x at-rest encryption enabled

You can probably submit an RFE, but I'm not sure how this can be implemented efficiently with the way Avamar works internally.

0 Kudos
ionthegeek
4 Beryllium

Re: Avamar 6.x at-rest encryption enabled

I don't foresee this ever being implemented. It would be a very high risk change and it violates several core architectural principles of Avamar.

That said, you do have options. There is a REST management API that was designed specifically with BaaS providers in mind. One of the main features is that you can organize Avamar systems into pools in order to reduce the overhead involved in managing multiple systems and distribute tenants across them as you wish. If you only have one customer who requires encrypt-at-rest, you could stand up an AVE, a single node system or a small grid with encrypt-at-rest enabled and limit the customer's clients to the encrypt-at-rest system.

Access to the REST API is currently only available by RPQ but this is mainly a formality so the product management team can keep track of which customers are using it. If you talk to your account team, they can file the RPQ on your behalf.

0 Kudos
Highlighted
avmaint
3 Argentium

Re: Avamar 6.x at-rest encryption enabled

Thank you Ian for detailed explanation.

As the document mentioned , though we specify the overhead, customers will be adamant to have as per PCI-DSS etc audits and compliance needs.

The way we segregate customers via vlans (though data is internally replicated for RAIN) similarly enabling the E@R on a single node also should be made possible by EMC which will be easy to deploy without overhead affecting for other customers.

Our storage capacity demands are not so high for now to deploy a separate AVE. Once the 16 node grid is full and we see a new customer for E@R we might deploy AVE+E@R.

0 Kudos