azanotta
2 Bronze

Avamar at-rest encryption config

Jump to solution

Hello everybody,

I have a simple question (at least I think)

How can I know if at-rest encryption is enabled in avamar 6.0?

Thanks and regards,

Andrés.

0 Kudos
1 Solution

Accepted Solutions
ionthegeek
4 Beryllium

Re: Avamar at-rest encryption config

Jump to solution

Log into your utility node (or single node server) and run the following command:

avmaint nodelist | grep encryptatrest

If you see something like the following, encrypt at rest is enabled on all nodes (note that only one node will show "true"):

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest

      encryptatrest="false"

      encryptatrest="true"

      encryptatrest="false"

      encryptatrest="false"

If you see something like the following, chances are very good that EAR is disabled but you'll have to contact support to make a definitive assessment:

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest

      encryptatrest="false"

      encryptatrest="false"

      encryptatrest="false"

      encryptatrest="false"

Message was edited by: ianderson - clarify that EAR is enabled on all nodes but reported on one

0 Kudos
15 Replies
ionthegeek
4 Beryllium

Re: Avamar at-rest encryption config

Jump to solution

Log into your utility node (or single node server) and run the following command:

avmaint nodelist | grep encryptatrest

If you see something like the following, encrypt at rest is enabled on all nodes (note that only one node will show "true"):

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest

      encryptatrest="false"

      encryptatrest="true"

      encryptatrest="false"

      encryptatrest="false"

If you see something like the following, chances are very good that EAR is disabled but you'll have to contact support to make a definitive assessment:

admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest

      encryptatrest="false"

      encryptatrest="false"

      encryptatrest="false"

      encryptatrest="false"

Message was edited by: ianderson - clarify that EAR is enabled on all nodes but reported on one

0 Kudos
azanotta
2 Bronze

Re: Avamar at-rest encryption config

Jump to solution

ianderson,

thanks a lot for the answer. Was very helpful.

Regards,

ionthegeek
4 Beryllium

Re: Avamar at-rest encryption config

Jump to solution

My pleasure!

0 Kudos
VirtGuy1
1 Copper

Re: Avamar at-rest encryption config

Jump to solution

I know that this post is very old but I have a question why on the list only one node in the grid is encypted at-rest?

If encryption at-rest is enabled shouldn't it work that way that all of the nodes are encrypted?

0 Kudos
avamar_exorcist
3 Argentium

Re: Avamar at-rest encryption config

Jump to solution

When the avmaint nodelist command is run, even though only one node reports back with "encryptatrest=true", the data is in fact encrypted across all the nodes.

0 Kudos
VirtGuy1
1 Copper

Re: Avamar at-rest encryption config

Jump to solution

Thx for the answer, but I'm still suspicious 😉

Why only one reports back that encryption is enabled?

Is this some sort of a limitation of the MCCLI?

It's a little confusing.

0 Kudos
Highlighted
avamar_exorcist
3 Argentium

Re: Avamar at-rest encryption config

Jump to solution

You can prove to yourself that the data is encrypted across all the nodes and not just one of them

For example, if you log on to a system where encrypt at rest is not enabled and run the "strings" command against a data stripe (*.dat) you will see shreds of readable information.  These are fragments of data stored in the chunks contained within that unencrypted data stripe.

If you run the same against a data stripe on an encrypted system you should just see gibberish.  You can try this against stripes on each node.

Unfortunately I don't have a system to hand which is configured with with encrypt at rest but on an unencrypted system you will at least see human readable outptut  (provided that the chunk you are viewing contains cleartext data)

Unencrypted stripe example:

admin@datanode1:/data01/cur/>: strings 0000000000000051.dat | less

sleep ` )

s cp=%T-1|

stat1

has beenu

it's%

&,V

: a l

ired

presen" S<

Tly#

reduc"

"#0V`

FfVto

ERROR_ACCESS_DENI|

_HANDLEh

NAM(4

DOES_NOT_EXIST=

Manager 8h      <|

bun#

`ll%

QdWh#

f#@`

: you must be an ad"p$

Hope that helps..

0 Kudos
ionthegeek
4 Beryllium

Re: Avamar at-rest encryption config

Jump to solution

All the nodes are encrypted but only one node reports on the encryption status in Avamar 5.0 and 6.0.

There have been substantial changes to encrypt-at-rest in Avamar 6.1 so the information in this post may not apply to 6.1 systems.

0 Kudos
ionthegeek
4 Beryllium

Re: Avamar at-rest encryption config

Jump to solution

Here is the corresponding nodelist output for Avamar 6.1 systems:

Encrypt at rest disabled:

admin@testgrid:~/>:avmaint nodelist --ava --xmlperline=99 | grep atrest

    <atrestencryption-status enabled="false" nr-salts="0"/>

    <atrestencryption-status enabled="false" nr-salts="0"/>

    <atrestencryption-status enabled="false" nr-salts="0"/>

    <atrestencryption-status enabled="false" nr-salts="0"/>

Encrypt at rest enabled:

admin@testgrid2:~/>:avmaint nodelist --ava --xmlperline=99 | grep atrest

    <atrestencryption-status enabled="true" nr-salts="16"/>

    <atrestencryption-status enabled="true" nr-salts="16"/>

    <atrestencryption-status enabled="true" nr-salts="16"/>

    <atrestencryption-status enabled="true" nr-salts="16"/>

0 Kudos