Dell DR Series System Administrator Guide

The overall steps for how Encryption at Rest is enabled and used in the DR Series system are described below.

1. Setting a passphrase.
   
   Encryption is disabled by default on a factory installed DR Series system (running version 3.2 software or later) or a DR Series system that has been upgraded to version 3.2 from a previously released version.

   The administrator must set a passphrase as the first step in configuring encryption. This passphrase is used to encrypt the content encryption keys, which adds a second layer of security to the key management.

2. Enabling encryption and setting the mode.
   
   The administrator should enable encryption by using the GUI or CLI. At this time, the mode is also set. The default key management mode is “internal” mode, in which key rotation happens periodically as specified by the set key rotation period.
3. Encryption process.
   
   After encryption is enabled, the data on the DR Series system that gets backed up is encrypted and is kept encrypted until it is expired and cleaned by the system cleaner. Note that the encryption process is irreversible.
4. Encryption of pre-existing data. Any pre-existing data on a DR Series system will also be encrypted using the currently set mode of key management. This encryption occurs as part of the system cleaner process. Encryption is scheduled as the last action item in the cleaner workflow. You must launch the cleaner manually using the maintenance command to reclaim space. It then encrypts all pre-existing unencrypted data. The cleaner can also be scheduled as per the existing pre-defined cleaner schedule.
   • NOTE: The cleaner can take some time to start the encryption process if the system is nearing full system capacity. Encryption starts only after the cleaner processes data slated for cleaning and the related logs. This ensures that space reclamation is prioritized when free space is low and also ensures that data stores are not redundantly encrypted.