This post is more than 5 years old
27 Posts
0
5093
Avamar at-rest encryption config
Hello everybody,
I have a simple question (at least I think)
How can I know if at-rest encryption is enabled in avamar 6.0?
Thanks and regards,
Andrés.
This post is more than 5 years old
27 Posts
0
5093
Hello everybody,
I have a simple question (at least I think)
How can I know if at-rest encryption is enabled in avamar 6.0?
Thanks and regards,
Andrés.
Top
ionthegeek
2K Posts
0
July 11th, 2012 13:00
Log into your utility node (or single node server) and run the following command:
avmaint nodelist | grep encryptatrest
If you see something like the following, encrypt at rest is enabled on all nodes (note that only one node will show "true"):
admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest
encryptatrest="false"
encryptatrest="true"
encryptatrest="false"
encryptatrest="false"
If you see something like the following, chances are very good that EAR is disabled but you'll have to contact support to make a definitive assessment:
admin@testgrid1:~/>: avmaint nodelist | grep encryptatrest
encryptatrest="false"
encryptatrest="false"
encryptatrest="false"
encryptatrest="false"
Message was edited by: ianderson - clarify that EAR is enabled on all nodes but reported on one
ionthegeek
2K Posts
0
July 13th, 2012 14:00
My pleasure!
azanotta
27 Posts
1
July 13th, 2012 14:00
ianderson,
thanks a lot for the answer. Was very helpful.
Regards,
VirtGuy1
6 Posts
0
September 17th, 2012 22:00
I know that this post is very old but I have a question why on the list only one node in the grid is encypted at-rest?
If encryption at-rest is enabled shouldn't it work that way that all of the nodes are encrypted?
VirtGuy1
6 Posts
0
September 18th, 2012 00:00
Thx for the answer, but I'm still suspicious ;-)
Why only one reports back that encryption is enabled?
Is this some sort of a limitation of the MCCLI?
It's a little confusing.
Avamar Exorcist
462 Posts
0
September 18th, 2012 00:00
When the avmaint nodelist command is run, even though only one node reports back with "encryptatrest=true", the data is in fact encrypted across all the nodes.
Avamar Exorcist
462 Posts
0
September 18th, 2012 02:00
You can prove to yourself that the data is encrypted across all the nodes and not just one of them
For example, if you log on to a system where encrypt at rest is not enabled and run the "strings" command against a data stripe (*.dat) you will see shreds of readable information. These are fragments of data stored in the chunks contained within that unencrypted data stripe.
If you run the same against a data stripe on an encrypted system you should just see gibberish. You can try this against stripes on each node.
Unfortunately I don't have a system to hand which is configured with with encrypt at rest but on an unencrypted system you will at least see human readable outptut (provided that the chunk you are viewing contains cleartext data)
Unencrypted stripe example:
admin@datanode1:/data01/cur/>: strings 0000000000000051.dat | less
sleep ` )
s cp=%T-1|
stat1
has beenu
it's%
&,V
: a l
ired
presen" S<
Tly#
reduc"
"#0V`
FfVto
ERROR_ACCESS_DENI|
_HANDLEh
NAM(4
DOES_NOT_EXIST=
Manager 8h <|
bun#
`ll%
QdWh#
f#@`
: you must be an ad"p$
Hope that helps..
ionthegeek
2K Posts
0
September 18th, 2012 05:00
Here is the corresponding nodelist output for Avamar 6.1 systems:
Encrypt at rest disabled:
Encrypt at rest enabled:
ionthegeek
2K Posts
0
September 18th, 2012 05:00
All the nodes are encrypted but only one node reports on the encryption status in Avamar 5.0 and 6.0.
There have been substantial changes to encrypt-at-rest in Avamar 6.1 so the information in this post may not apply to 6.1 systems.
avmaint
115 Posts
0
March 9th, 2016 04:00
Do we need a license for EAR on Avamar like on DD?
ionthegeek
2K Posts
0
March 9th, 2016 06:00
No additional license is required but this is something that should be configured at install time. The encryption algorithm does not guarantee that any data already on the system will be encrypted.
umichklewis
1.2K Posts
0
March 9th, 2016 08:00
What the options to turn this on after installation? Oddly enough, after two, separate PS engagements to stand up our new grids, neither source nor target grid have this enabled.
Is there a mechanism to force re-encryption over time or during various avmaint processes?
ionthegeek
2K Posts
1
March 9th, 2016 08:00
As data expires from the system, expired data inside the data stripes (files where the de-duplicated data are stored) will be garbage collected and the capacity made available for re-use. These stripe files are only re-encrypted when they are re-used. More specifically, they are re-encrypted during crunching (if this doesn't mean anything to you, the detail isn't that important).
There is generally some amount of churn on a system, so stripes get re-used regularly but there are no guarantees. If a stripe ends up filled with all your Windows system files, it will probably never be crunched and therefore would never be encrypted.
There is no mechanism to force a stripe to be encrypted.
Avamar Exorcist
462 Posts
0
March 9th, 2016 08:00
For any readers which have partner level or higher access to the knowledge-base there's also an article on this topic which discusses what Ian has explained.
umichklewis
1.2K Posts
1
March 9th, 2016 11:00
Thanks for clearing that up, Ian - good to know!