Highlighted
8 Krypton

Encryption at-rest questions

Jump to solution

I have a couple questions regarding encryption at-rest I was hoping you guys could help clarify for me.

  1. Is the "Rest Password" recommended when using encryption at-rest? The SLES install document indicates that it is optional but you'd think the salt table should be protected. What sort of security impact results from not entering a rest password?
  2. Any recommendations on what should be used for the rest salt? Would a simple 5-10 character string be enough?
  3. It my understanding that Avamar, when writing backups to a Data Domain system, cannot encrypt the data. In order to protect data on the Data Domain does EMC support leveraging DD's own data at-rest encryption services in conjunction? I understand that in an ideal scenario these backups would be best stored locally on the Avamar server.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
8 Krypton

Re: Encryption at-rest questions

Jump to solution

Is the "Rest Password" recommended when using encryption at-rest? The SLES install document indicates that it is optional but you'd think the salt table should be protected. What sort of security impact results from not entering a rest password?

If no rest password is specified, a password will be generated when the first salt is added.

Any recommendations on what should be used for the rest salt? Would a simple 5-10 character string be enough?

Since this is the initial rest salt, you can use basically anything. Salts are rotated periodically anyway. Avoid using special characters in the GUI interface -- there's a known issue with special character handling in the at-rest password and initial at-rest salt fields. If you have a requirement to use special characters in the salt or password, you can skip setting these parameters in the GUI and use avmaint atrestencryption --restsalt=<properly quoted rest salt> and avmaint atrestencryption --restpassword=<properly quoted rest password> to set them after the install is complete (but before any customer data is added to the system).

It my understanding that Avamar, when writing backups to a Data Domain system, cannot encrypt the data. In order to protect data on the Data Domain does EMC support leveraging DD's own data at-rest encryption services in conjunction? I understand that in an ideal scenario these backups would be best stored locally on the Avamar server.

I believe that this is not possible right now but there are plans to support it in a future version.

7 Replies
8 Krypton

Re: Encryption at-rest questions

Jump to solution

Is the "Rest Password" recommended when using encryption at-rest? The SLES install document indicates that it is optional but you'd think the salt table should be protected. What sort of security impact results from not entering a rest password?

If no rest password is specified, a password will be generated when the first salt is added.

Any recommendations on what should be used for the rest salt? Would a simple 5-10 character string be enough?

Since this is the initial rest salt, you can use basically anything. Salts are rotated periodically anyway. Avoid using special characters in the GUI interface -- there's a known issue with special character handling in the at-rest password and initial at-rest salt fields. If you have a requirement to use special characters in the salt or password, you can skip setting these parameters in the GUI and use avmaint atrestencryption --restsalt=<properly quoted rest salt> and avmaint atrestencryption --restpassword=<properly quoted rest password> to set them after the install is complete (but before any customer data is added to the system).

It my understanding that Avamar, when writing backups to a Data Domain system, cannot encrypt the data. In order to protect data on the Data Domain does EMC support leveraging DD's own data at-rest encryption services in conjunction? I understand that in an ideal scenario these backups would be best stored locally on the Avamar server.

I believe that this is not possible right now but there are plans to support it in a future version.

hewits
1 Copper

Re: Encryption at-rest questions

Jump to solution

Thanks ianderson.  Just wanted to clarify one point. 

At-rest encryption to Data Domain is supported.  It is transparent to Avamar or any other backup application writing to DD.  You need a license key on the DD.  Then you enable it on the filesystem. 

One thing to keep in mind is that you cannot use in-flight encryption when writing to a DD.  It uses the DDBOOST protocol which does not support encryption.

8 Krypton

Re: Encryption at-rest questions

Jump to solution

Thank you for the clarification!

0 Kudos
8 Krypton

Re: Encryption at-rest questions

Jump to solution

Thanks for the great info, ianderson & hewits.

One follow up though, where can I find infomation documentation regarding managing at-rest encryption via the GUI? I checked the admin and security guide briefly and didn't see anything.

0 Kudos
hewits
1 Copper

Re: Encryption at-rest questions

Jump to solution

There isn’t anything to manage really. If you want it enabled, it’s something that professional services enables during the initial install of the system. From that point forward, it’s on.

8 Krypton

Re: Encryption at-rest questions

Jump to solution

The GUI I was referring to in my post above is the Avamar Installer GUI. As hewits said, there isn't any management that needs to be done.

8 Krypton

Re: Encryption at-rest questions

Jump to solution

10-4 Good Buddy

0 Kudos