Unsolved
This post is more than 5 years old
1 Rookie
•
23 Posts
0
3947
January 12th, 2017 05:00
DD2200 Encryption
We recently installed a DD2200 box which is going to work as our primary backup system in conjunction with Avamar and CIFS file shares. It will then be replicated off site to a much larger DD box.
Due to regulations our data must be encrypted with AES-256 at rest and in transit.
We have this working we believe with Avamar right now using "High" encryption.
Our main problem right now is our SQL backups, our backup maintenance plans will dump the backups out to a CIFS share in as not encrypted backup files. We were expecting the data domain to do the encryption for us, and we were sold these boxes being told it could do this out of the box with shares.
When looking at the system I noticed that we never got a license key for encryption. I assume we have to purchase a license for encryption at rest on the DD2200 when using file shares? Avamar included this apparently.
When you set up a MTree replication to an off site location and your box is encrypted, does the data go to the off site box as an encrypted file or is it only encrypted on the local box, decrypted and replicated and have to be re-encrypted on the offsite box end? Our vendor is claiming that if we encrypt our box then the data will automatically be encrypted on their end even though they do not have encryption turned on for their DD 9300. I am finding this hard to believe myself.
What is true, and what is the best way to have a CIFS share setup so we can guarantee that we encrypt on our end with at least AES-256 and it is encrypted in transit and encrypted on their end when it reaches our storage space on their multi-tenant environment setup
0 events found
James_Ford
30 Posts
1
January 13th, 2017 02:00
So in response to your questions:
- Encryption of data at rest is a licensed feature on a DDR - so yes you would need to purchase and apply an encryption license before this functionality can be enabled
- When configured encryption of data at rest can use various encryption algorithms, i.e. aes_128_cbc, aes_256_cbc, aes_128_gcm, aes_256_gcm
- Encryption can only be enabled/disabled system wide - there is no support for encrypting the contents of one mtree whilst leaving other mtrees unencrypted
- By default when encryption is enabled only new data is written in an encrypted format - existing data is left as is. If you need to encrypt existing data you need to specifically enable this then all data is encrypted during next clean on the DDR
- If you are using replication and have encryption enabled on the source DDR but disabled on the destination DDR then:
Data will be read on the source in an encrypted format
The source will decrypt the data and send it over the wire in an unencrypted format
The destination will write data to disk in an unencrypted format (so what your vendor is telling you is not correct)
To force data to be encrypted on the wire you would need to enable encryption for the specific mtree replication contexts you are using. Note, however, that data will still be stored in an unencrypted format on the destination. If, however, you have encryption enabled on the source and destination DDRs this is not required. In this case:
Data will be read on the source in an encrypted format
The source will re-encrypt the data using the destination systems encryption key
Encrypted data will be sent over the wire
The destination will write data to disk in an encrypted format
All of this is covered in the following KB article which provides a good overview of encryption of data at rest functionality as well as steps to configure encryption: https://support.emc.com/kb/303747
Thanks, James
BSH-RESCH
1 Rookie
•
23 Posts
0
January 13th, 2017 05:00
Thanks!
This is our first time with DD and a 3rd party vendor set it up for us and configured it and assured us that everything was encrypted... that was until we got admin rights 2 months later and went in to the DD to see that replication listed encryption at rest as disabled and encrypt over wire as disabled on both the source and destination system... that's when we found the licensing status as not licensed for encryption. This 3rd party vendor is also a "certified EMC provider"...... ugh... it took them a month to set up the Data domain system and get it replicating because nothing ever worked for them, they just kept fiddling with settings until it did... that's where we started to have concerns...