- Encryption of data at rest is a licensed feature on a DDR - so yes you would need to purchase and apply an encryption license before this functionality can be enabled
- When configured encryption of data at rest can use various encryption algorithms, i.e. aes_128_cbc, aes_256_cbc, aes_128_gcm, aes_256_gcm
- Encryption can only be enabled/disabled system wide - there is no support for encrypting the contents of one mtree whilst leaving other mtrees unencrypted
- By default when encryption is enabled only new data is written in an encrypted format - existing data is left as is. If you need to encrypt existing data you need to specifically enable this then all data is encrypted during next clean on the DDR
- If you are using replication and have encryption enabled on the source DDR but disabled on the destination DDR then:
Data will be read on the source in an encrypted format
The source will decrypt the data and send it over the wire in an unencrypted format
The destination will write data to disk in an unencrypted format (so what your vendor is telling you is not correct)
To force data to be encrypted on the wire you would need to enable encryption for the specific mtree replication contexts you are using. Note, however, that data will still be stored in an unencrypted format on the destination. If, however, you have encryption enabled on the source and destination DDRs this is not required. In this case:
Data will be read on the source in an encrypted format
The source will re-encrypt the data using the destination systems encryption key
Encrypted data will be sent over the wire
The destination will write data to disk in an encrypted format
All of this is covered in the following KB article which provides a good overview of encryption of data at rest functionality as well as steps to configure encryption: https://support.emc.com/kb/303747
This is our first time with DD and a 3rd party vendor set it up for us and configured it and assured us that everything was encrypted... that was until we got admin rights 2 months later and went in to the DD to see that replication listed encryption at rest as disabled and encrypt over wire as disabled on both the source and destination system... that's when we found the licensing status as not licensed for encryption. This 3rd party vendor is also a "certified EMC provider"...... ugh... it took them a month to set up the Data domain system and get it replicating because nothing ever worked for them, they just kept fiddling with settings until it did... that's where we started to have concerns...
James_Ford
30 Posts
1
January 13th, 2017 02:00
So in response to your questions:
- Encryption of data at rest is a licensed feature on a DDR - so yes you would need to purchase and apply an encryption license before this functionality can be enabled
- When configured encryption of data at rest can use various encryption algorithms, i.e. aes_128_cbc, aes_256_cbc, aes_128_gcm, aes_256_gcm
- Encryption can only be enabled/disabled system wide - there is no support for encrypting the contents of one mtree whilst leaving other mtrees unencrypted
- By default when encryption is enabled only new data is written in an encrypted format - existing data is left as is. If you need to encrypt existing data you need to specifically enable this then all data is encrypted during next clean on the DDR
- If you are using replication and have encryption enabled on the source DDR but disabled on the destination DDR then:
Data will be read on the source in an encrypted format
The source will decrypt the data and send it over the wire in an unencrypted format
The destination will write data to disk in an unencrypted format (so what your vendor is telling you is not correct)
To force data to be encrypted on the wire you would need to enable encryption for the specific mtree replication contexts you are using. Note, however, that data will still be stored in an unencrypted format on the destination. If, however, you have encryption enabled on the source and destination DDRs this is not required. In this case:
Data will be read on the source in an encrypted format
The source will re-encrypt the data using the destination systems encryption key
Encrypted data will be sent over the wire
The destination will write data to disk in an encrypted format
All of this is covered in the following KB article which provides a good overview of encryption of data at rest functionality as well as steps to configure encryption: https://support.emc.com/kb/303747
Thanks, James
BSH-RESCH
1 Rookie
•
23 Posts
0
January 13th, 2017 05:00
Thanks!
This is our first time with DD and a 3rd party vendor set it up for us and configured it and assured us that everything was encrypted... that was until we got admin rights 2 months later and went in to the DD to see that replication listed encryption at rest as disabled and encrypt over wire as disabled on both the source and destination system... that's when we found the licensing status as not licensed for encryption. This 3rd party vendor is also a "certified EMC provider"...... ugh... it took them a month to set up the Data domain system and get it replicating because nothing ever worked for them, they just kept fiddling with settings until it did... that's where we started to have concerns...