Avamar at-rest encryption config

My pleasure!

I know that this post is very old but I have a question why on the list only one node in the grid is encypted at-rest?

If encryption at-rest is enabled shouldn't it work that way that all of the nodes are encrypted?

Thx for the answer, but I'm still suspicious ;-)

Why only one reports back that encryption is enabled?

Is this some sort of a limitation of the MCCLI?

It's a little confusing.

When the avmaint nodelist command is run, even though only one node reports back with "encryptatrest=true", the data is in fact encrypted across all the nodes.

You can prove to yourself that the data is encrypted across all the nodes and not just one of them

For example, if you log on to a system where encrypt at rest is not enabled and run the "strings" command against a data stripe (*.dat) you will see shreds of readable information.  These are fragments of data stored in the chunks contained within that unencrypted data stripe.

If you run the same against a data stripe on an encrypted system you should just see gibberish.  You can try this against stripes on each node.

Unfortunately I don't have a system to hand which is configured with with encrypt at rest but on an unencrypted system you will at least see human readable outptut  (provided that the chunk you are viewing contains cleartext data)

Unencrypted stripe example:

admin@datanode1:/data01/cur/>: strings 0000000000000051.dat | less

sleep ` )

s cp=%T-1|

stat1

has beenu

it's%

&,V

: a l

ired

presen" S<

Tly#

reduc"

"#0V`

FfVto

ERROR_ACCESS_DENI|

_HANDLEh

NAM(4

DOES_NOT_EXIST=

Manager 8h      <|

bun#

`ll%

QdWh#

f#@`

: you must be an ad"p$

Hope that helps..

Here is the corresponding nodelist output for Avamar 6.1 systems:

Encrypt at rest disabled:

admin@testgrid:~/>:avmaint nodelist --ava --xmlperline=99 | grep atrest

Encrypt at rest enabled:

admin@testgrid2:~/>:avmaint nodelist --ava --xmlperline=99 | grep atrest

All the nodes are encrypted but only one node reports on the encryption status in Avamar 5.0 and 6.0.

There have been substantial changes to encrypt-at-rest in Avamar 6.1 so the information in this post may not apply to 6.1 systems.

Do we need a license for EAR on Avamar like on DD?

No additional license is required but this is something that should be configured at install time. The encryption algorithm does not guarantee that any data already on the system will be encrypted.

What the options to turn this on after installation?  Oddly enough, after two, separate PS engagements to stand up our new grids, neither source nor target grid have this enabled.

Is there a mechanism to force re-encryption over time or during various avmaint processes?

As data expires from the system, expired data inside the data stripes (files where the de-duplicated data are stored) will be garbage collected and the capacity made available for re-use. These stripe files are only re-encrypted when they are re-used. More specifically, they are re-encrypted during crunching (if this doesn't mean anything to you, the detail isn't that important).

There is generally some amount of churn on a system, so stripes get re-used regularly but there are no guarantees. If a stripe ends up filled with all your Windows system files, it will probably never be crunched and therefore would never be encrypted.

There is no mechanism to force a stripe to be encrypted.

For any readers which have partner level or higher access to the knowledge-base there's also an article on this topic which discusses what Ian has explained. 

• KB 176660 - How to use Avamar's encryption-at-rest functionality

Thanks for clearing that up, Ian - good to know!