Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

JWeinsheimer

91 Posts

2521

January 2nd, 2013 06:00

Encryption at-rest questions

I have a couple questions regarding encryption at-rest I was hoping you guys could help clarify for me.

  1. Is the "Rest Password" recommended when using encryption at-rest? The SLES install document indicates that it is optional but you'd think the salt table should be protected. What sort of security impact results from not entering a rest password?
  2. Any recommendations on what should be used for the rest salt? Would a simple 5-10 character string be enough?
  3. It my understanding that Avamar, when writing backups to a Data Domain system, cannot encrypt the data. In order to protect data on the Data Domain does EMC support leveraging DD's own data at-rest encryption services in conjunction? I understand that in an ideal scenario these backups would be best stored locally on the Avamar server.

Thanks!

ionthegeek

2K Posts

January 2nd, 2013 07:00

Is the "Rest Password" recommended when using encryption at-rest? The SLES install document indicates that it is optional but you'd think the salt table should be protected. What sort of security impact results from not entering a rest password?

If no rest password is specified, a password will be generated when the first salt is added.

Any recommendations on what should be used for the rest salt? Would a simple 5-10 character string be enough?

Since this is the initial rest salt, you can use basically anything. Salts are rotated periodically anyway. Avoid using special characters in the GUI interface -- there's a known issue with special character handling in the at-rest password and initial at-rest salt fields. If you have a requirement to use special characters in the salt or password, you can skip setting these parameters in the GUI and use avmaint atrestencryption --restsalt= and avmaint atrestencryption --restpassword= to set them after the install is complete (but before any customer data is added to the system).

It my understanding that Avamar, when writing backups to a Data Domain system, cannot encrypt the data. In order to protect data on the Data Domain does EMC support leveraging DD's own data at-rest encryption services in conjunction? I understand that in an ideal scenario these backups would be best stored locally on the Avamar server.

I believe that this is not possible right now but there are plans to support it in a future version.

ionthegeek

2K Posts

January 2nd, 2013 07:00

Thank you for the clarification!

JWeinsheimer

91 Posts

January 2nd, 2013 07:00

Thanks for the great info, ianderson & hewits.

One follow up though, where can I find infomation documentation regarding managing at-rest encryption via the GUI? I checked the admin and security guide briefly and didn't see anything.

Anonymous

5 Practitioner

 • 

274.2K Posts

January 2nd, 2013 07:00

Thanks ianderson.  Just wanted to clarify one point. 

At-rest encryption to Data Domain is supported.  It is transparent to Avamar or any other backup application writing to DD.  You need a license key on the DD.  Then you enable it on the filesystem. 

One thing to keep in mind is that you cannot use in-flight encryption when writing to a DD.  It uses the DDBOOST protocol which does not support encryption.

Anonymous

5 Practitioner

 • 

274.2K Posts

January 2nd, 2013 08:00

There isn’t anything to manage really. If you want it enabled, it’s something that professional services enables during the initial install of the system. From that point forward, it’s on.

ionthegeek

2K Posts

January 2nd, 2013 08:00

The GUI I was referring to in my post above is the Avamar Installer GUI. As hewits said, there isn't any management that needs to be done.

JWeinsheimer

91 Posts

January 2nd, 2013 08:00

10-4 Good Buddy

View More

View All

No Events found!

Top