Is the "Rest Password" recommended when using encryption at-rest? The SLES install document indicates that it is optional but you'd think the salt table should be protected. What sort of security impact results from not entering a rest password?
If no rest password is specified, a password will be generated when the first salt is added.
Any recommendations on what should be used for the rest salt? Would a simple 5-10 character string be enough?
Since this is the initial rest salt, you can use basically anything. Salts are rotated periodically anyway. Avoid using special characters in the GUI interface -- there's a known issue with special character handling in the at-rest password and initial at-rest salt fields. If you have a requirement to use special characters in the salt or password, you can skip setting these parameters in the GUI and use avmaint atrestencryption --restsalt= and avmaint atrestencryption --restpassword= to set them after the install is complete (but before any customer data is added to the system).
It my understanding that Avamar, when writing backups to a Data Domain system, cannot encrypt the data. In order to protect data on the Data Domain does EMC support leveraging DD's own data at-rest encryption services in conjunction? I understand that in an ideal scenario these backups would be best stored locally on the Avamar server.
I believe that this is not possible right now but there are plans to support it in a future version.
One follow up though, where can I find infomation documentation regarding managing at-rest encryption via the GUI? I checked the admin and security guide briefly and didn't see anything.
ionthegeek
2 Intern
•
2K Posts
1
January 2nd, 2013 07:00
If no rest password is specified, a password will be generated when the first salt is added.
Since this is the initial rest salt, you can use basically anything. Salts are rotated periodically anyway. Avoid using special characters in the GUI interface -- there's a known issue with special character handling in the at-rest password and initial at-rest salt fields. If you have a requirement to use special characters in the salt or password, you can skip setting these parameters in the GUI and use avmaint atrestencryption --restsalt= and avmaint atrestencryption --restpassword= to set them after the install is complete (but before any customer data is added to the system).
I believe that this is not possible right now but there are plans to support it in a future version.
ionthegeek
2 Intern
•
2K Posts
0
January 2nd, 2013 07:00
Thank you for the clarification!
JWeinsheimer
91 Posts
0
January 2nd, 2013 07:00
Thanks for the great info, ianderson & hewits.
One follow up though, where can I find infomation documentation regarding managing at-rest encryption via the GUI? I checked the admin and security guide briefly and didn't see anything.
ionthegeek
2 Intern
•
2K Posts
1
January 2nd, 2013 08:00
The GUI I was referring to in my post above is the Avamar Installer GUI. As hewits said, there isn't any management that needs to be done.
JWeinsheimer
91 Posts
0
January 2nd, 2013 08:00
10-4 Good Buddy