Data Domain - DD Boost global authentication and encryption
Summary: This article provides information about DD Boost global authentication and encryption which is taken from the latest up-to-date information from ddos 7.13 boost documentation. In this guide, "PowerProtect DD System," "the protection system," or simply "the system" sees PowerProtect DD Series Appliances running DD OS 7.4 or later and earlier PowerProtect DD systems. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
Boost encryption and authentication depends on client compatibility review the information and table below.
You can specify authentication and encryption settings in three ways which are described further into this document.
How to Reset Global Encryption Strength & Clear Errors in Dell Data Domain
Duration: 00:03:32 (hh:mm:ss)
When available, closed caption (subtitles) language settings can be chosen using the CC icon on this video player.
In-flight Encryption
In-flight encryption allows applications to encrypt in-flight backup or restore data over LAN from the protection system. This feature was introduced to offer a more secure data transport capability.
When configured, the client can use TLS to encrypt the session between the client and the protection system. The specific cipher suite used is as follows in the table below.
NOTE: The specific cipher suite used is either ADH-AES256-SHA, if the high encryption option is selected, or ADHAES128-SHA, if the medium encryption option is selected.
DD Boost Client 3.3 to 7.0 and 7.5 After 7.5
| DDOS 7.5 and After | |||
|---|---|---|---|
| Encryption Medium | Encryption High | ||
| DD Boost Client 3.3 to 7.0 and DD Boost | ANON | ADH-AES128-GCM-SHA256 | ADH-AES256-GCM-SHA384 |
| Client 7.5 and After | One-way or Two-way Certificates | DHE-RSA-AES128-GCM-SHA256 | DHE-RSA-AES256-GCM-SHA384 |
DD Boost Client 3.3 to 7.0 and 7.5 After 7.5 (continued)
| DDOS 7.4 and Before | |||
|---|---|---|---|
| Encryption Medium | Encryption High | ||
| DD Boost Client 3.3 to 7.0 and DD Boost | ANON | ADH-AES128-SHA | ADH-AES256--SHA |
| Client 7.5 and After | One-way or Two-way Certificates | DHE-RSA-AES128-SHA | DHE-RSA-AES256-SHA |
DD Boost Client 7.1 to 7.4
| DDOS 7.5 and After | |||
|---|---|---|---|
| DD Boost Client 7.1 to 7.4 | Encryption Medium | Encryption High | |
| ANON | ADH-AES128-SHA | ADH-AES256--SHA | |
| One-way or Two-way Certificates | DHE-RSA-AES128-GCM-SHA256 | DHE-RSA-AES256-GCM-SHA384 | |
DD Boost Client 7.1 to 7.4 (continued)
| DDOS 7.4 and Before | |||
|---|---|---|---|
| DD Boost Client 7.1 to 7.4 | Encryption Medium | Encryption High | |
| ANON | ADH-AES128- SHA | ADH-AES256-- SHA | |
| One-way or Two-way Certificates | DHE-RSA-AES128-SHA | DHE-RSA-AES256-SHA | |
NOTE: For DDOS 7.12 and later, the Authentication mode is none and encryption strength is medium by default for fresh install.
The default global options are backwards-compatible, meaning:
- You do not have to update the DD Boost library. All existing clients and applications perform in the same manner with the default settings of the new options.
- Clients and applications that use certificates with transport layer security (TLS) can continue to work with no changes.
Global authentication and encryption
DD Boost offers global authentication and encryption options to defend your system against man-in-the-middle (MITM) attacks.
The global options ensure that new clients are protected, but also allow you to configure different values for each client. In addition, client settings can only strengthen security, not reduce it.
Setting the global authentication mode and encryption strength establishes minimum levels of authentication and encryption. All connection attempts by all clients must meet or exceed these levels.
NOTE: These measures are not enabled by default; you must change the settings manually.
The default global options are backwards-compatible, meaning:
- You do not have to update the DD Boost library.
All existing clients and applications perform in the same manner with the default settings of the new options. - There is no impact on performance because there is no added encryption.
- Clients and applications that use certificates with transport layer security (TLS) can continue to work with no changes.
NOTE: If the global settings are different than the default settings, existing clients might need to be updated.
Methods of setting authentication and encryption
You can specify authentication and encryption settings in three ways.
- Connection request
You do this by using the ddp_connect_with_config API in the client application. - Per-client settings
You do this by using CLI commands on the protection system. - Global settings
You do this by using CLI commands on the protection system.
If both per-client and global values are set, the stronger or higher setting is enforced. Any client that tries to connect with a weaker authentication or encryption setting is rejected.
Authentication and encryption settings
You can consider several factors when deciding authentication and encryption settings. However, it is recommended that you always choose the maximum available setting for maximum security.
Maximum security impacts performance. If you have a controlled environment where maximum security is not required, you might want to use other settings.
Global settings
The global setting determines the minimum levels of authentication and encryption. Connection attempts that do not meet these criteria fail.
Per-client settings
If the setting is defined on a per-client basis, the setting you choose must either match or be greater than the maximum per-client authentication setting and the maximum global authentication setting.
For example:
- If a client is configured to require "two-way password" authentication and the global authentication setting is two-way TLS, then two-way TLS authentication must be used.
- If the client is configured with the authentication setting "two-way TLS" and the global setting is "two-way passwords," then "two-way TLS" must be used.
Caller-specified values
If the caller-specified values are lower than either the global or per-client settings, the connection is not allowed. However, if the caller-specified values are higher than the global or per-client settings, the connection is made using the caller-specified values.
For example, if the caller specifies "two-way-password" but either the global or per-client value is "two-way," the connection attempt fails. However, if the caller specified "two-way" and the global and per-client values are "two-way-password," "two-way" authentication is used.
Authentication and encryption options
You can select one of three allowed settings for both the global and authentication and encryption settings.
For the per-client settings, five authentication settings are allowed and three encryption settings (the same encryption settings as those for global).
NOTE: Authentication and encryption values must be set simultaneously due to dependencies.
Global authentication and encryption options
You have a range of choices with the options global-authentication-mode and global-encryption-strength.
Authentication settings
The following list ranks authentication values from weakest to strongest:
-
none
Not secure; this is the default setting. -
anonymous
This option is not secure against MITM attacks.In-flight data is encrypted.
-
one-way
This method requires the use of certificates.
This is not secure against MITM attacks.
In-fligh data is encrypted. -
two-way password
This option is secure against MITM attacks.
In-fligh data is encrypted. -
two-way
This option requires the user of certificates.
This is the most secure option, and is secure against MITM attacks.
In-fligh data is encrypted.
Note: That "anonymous" and "one-way" are only allowed for per-client settings, not global settings.
Encryption settings
The following list ranks encryption values from weakest to strongest:
-
none
Not secure; this is the default setting.
Can only be specified if the authentication is "none." -
medium
Employs AES 128 and SHA-1. -
high
Employs AES 256 and SHA-1.
NOTE: Both medium and high employ SHA-1 depending on the Client version and Authentication mode. See the table in In-flight Encryption for more details.
Global authentication
The three global-authentication-mode options offer different levels of protection and backwards compatibility.
Global authentication and encryption values can only be set through command-line interface (CLI) commands on the DD Boost Server. The CLI commands that you use to set these values are described in the following sections.
None
ddboost option set global-authentication-mode none global-encryption-strength none
"None" is the least secure but most backwards-compatible option.
You can select "none" if your system has crucial performance requirements and you do not need protection from MITM attacks.
Your system can operate in the same manner as before without suffering any performance degradation due to TLS.
If you select a different setting for authentication than "none," the encryption setting cannot be "none."
Two-way password
ddboost option set global-authentication-mode two-way-password
global-encryption-strength {medium | high}
The two-way password method performs two-way authentication using TLS with pre-shared key (PSK) authentication. Both the client and the protection system are authenticated using the previously established passwords. When this option is selected, all data and messages between the client and the protection system are encrypted.
This option is the only secure option available with DD Boost for OpenStorage and protects fully against man-in-the-middle (MITM) attacks.
Encryption strength must be either medium or high.
Two-way password authentication is unique because it is the only method that is both secure against MITM and can be done without the caller specifying it.
Two-way
ddboost option set global-authentication-mode two-way
global-encryption-strength {medium | high}
This is the most secure option.
The two-way option employs TLS with certificates. Two-way authentication is achieved using certificates provided by the application.
This setting is compatible with existing use of certificates. Setting the global authentication setting to "two-way" requires all applications that connect to the protection system to support and supply certificates.
Any application that does not support certificates and does not specify two-way authentication and provide certificates through the ddp_connect_with_config API will fail.
NOTE: The two-way authentication option is not available with DD Boost for OpenStorage. If the global authentication mode is set to two-way, all OST applications fail.
Backwards compatibility scenarios
Older client and new protection system
In this case, an application using a Boost library is employed with DDOS 6.1 or later. In this scenario, the client cannot perform two-way-password authentication, which has the following ramifications:
- Any global authentication settings must be set to "none or "two-way" since the client cannot perform "two-way-password" authentication.
Per-client authentication settings can be any value except "two-way-password" for the same reason. - Any global or per-client settings of two-way password cause applications with older client libraries to fail.
- The new protection system supports existing connection protocols for old clients.
New client and older protection system
The older protection system cannot perform "two-way-password" authentication, which has the following ramifications:
- There are no global authentication or encryption settings.
- The per-client protection system authentication setting cannot be "two-way password."
- The client will first attempt to use the new connection protocol or RPC; upon failure, the client reverts to the old protocol.
- The client can connect with other authentication methods except "two-way-password."
Authentication and encryption setting examples
The following tables show examples in which settings are specified using calls, per-client settings, and global settings, and whether those settings can succeed.
These examples assume you have a DD Boost client connection to a protection system with DDOS 6.1 or later. These examples do not apply to either of the situations described in Backwards Compatibility Scenarios.
NOTE: If the global or per-client setting requires two-way authentication, the caller must specify it and provide the necessary certificates.
One setting
| Call specifies | Per-client settings | Global settings | Used values |
|---|---|---|---|
| None | None | None | SUCCEEDS Authentication: none Encryption: none |
| Authentication: two-way-password Encryption: medium |
None | None | SUCCEEDS Authentication: two-way-password Encryption: medium |
| None | Authentication: two-way-password Encryption: medium |
None | SUCCEEDS Authentication: two-way-password Encryption: medium |
| None | None | Authentication: two-way-password Encryption: medium | SUCCEEDS Authentication: two-way-password Encryption: medium |
| None | None | Authentication: two-way Encryption: high |
FAILS Two-way and high are required. The client must specify a two-way and provide certificates. |
| Authentication: two-way Encryption: high | None | None | SUCCEEDS Authentication: two-way Encryption: high |
Multiple Settings
| Call specifies | Per-client settings | Global settings | Used values |
|---|---|---|---|
| Authentication: two-way Encryption: medium |
None | Authentication: two-way Encryption: high |
FAILS Two-way and high are required. |
| None | Authentication: two-way Encryption: high |
Authentication: two-way-password Encryption: medium |
FAILS Two-way and high are required. The client must specify a two-way and provide certificates. |
| Authentication: two-way Encryption: high |
Authentication: two-way-password Encryption: high |
Authentication: two-way Encryption: medium |
SUCCEEDS Authentication: two-way Encryption: high |
| None | Authentication: two-way-password Encryption: medium |
Authentication: two-way Encryption: medium |
FAILS Two-way and medium are required. The client must specify a two-way and provide certificates. |
| Authentication: two-way Encryption: high |
Authentication: two-way Encryption: medium |
Authentication: two-way Encryption: medium |
SUCCEEDS Authentication: two-way Encryption: high |
Additional Information
Data Domain: The default Authentication Mode for DDBoost Clients Does Not Provide Over-the-Wire Encryption.
Data Domain - Managing certificates for DD Boost
Affected Products
Data DomainArticle Properties
Article Number: 000222809
Article Type: How To
Last Modified: 05 Aug 2025
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.