Chat now with support
Chat mit Support

QoreStor 5.1.0 - User Guide

Introducing the QoreStor documentation Introducing QoreStor Setting up your QoreStor system Configuring QoreStor settings Managing storage groups Managing containers Managing replications Managing Users Managing QoreStor Remotely Monitoring the QoreStor system Configuring and using Rapid NFS and Rapid CIFS Configuring and using VTL Configuring and Using Encryption at Rest Support, maintenance, and troubleshooting About us

Encryption at rest and QoreStor considerations

This topic describes key features and considerations of using Encryption at Rest in QoreStor.

  • Key Management — In internal mode there is a maximum limit of 1023 keys. By default when encryption is enabled on the system, the key rotation period is set to 30 days. Users can later change the key rotation period from 7 days to 70 years, while configuring internal mode of encryption.
  • Performance Impacts — Encryption should have minimal to zero impact on both backup and restore workflows. It should also have no impact on the replication workflows.
  • Replication — Encryption must be enabled on both the source and target QoreStor systems to store encrypted data on the systems. This means that encrypted data on the source does not automatically imply that when it is replicated to the target it will be encrypted unless encryption is explicitly turned ‘ON’ on the target QoreStor system.
  • Security Considerations for Passphrase and Key Management
    • A passphrase is very important part of the encryption process on the QoreStor system as the passphrase is used to encrypt the content encryption key or keys. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable.
    • The administrator should closely consider security requirements to drive the decision for selecting the mode of key management for the QoreStor system.
    • The Internal mode is more secure than the Static mode since the keys are periodically changed. Key rotation can be set to 7 days minimum.
    • Key modes can be changed at any time during the lifetime of the QoreStor system; however, changing the key mode is a significant operation to undertake as all encrypted data must be re-encrypted.
    • Content encryption keys are stored in their encrypted form in a primary keystore, which is maintained on the same enclosure as the data-stores. For redundancy purposes, a backup copy of the primary keystore is stored on the system in the root partition, separate from the data-store partitions.

Understanding the encryption process

The overall steps for how Encryption at Rest is enabled and used in QoreStor are described below.

  1. Enabling encryption.

    Encryption is disabled by default on QoreStor. An administrator can enable encryption by using the GUI or CLI.

    Encryption is set at the storage group level.

  2. Setting a passphrase and setting the mode.

    When defining encryption for a storage group, a passphrase is set. This passphrase is used to encrypt the content encryption keys, which adds a second layer of security to the key management. At this time, the mode is also set. The default key management mode is “internal” mode, in which key rotation happens periodically as specified by the set key rotation period.

  3. Encryption process.

    After encryption is enabled, the data in the storage group that gets backed up is encrypted and is kept encrypted until it is expired and cleaned by the system cleaner. Note that the encryption process is irreversible.

  4. Encryption of pre-existing data.

    Any pre-existing data will also be encrypted using the currently set mode of key management. This encryption occurs as part of the system cleaner process. Encryption is scheduled as the last action item in the cleaner workflow. You must launch the cleaner manually using the maintenance command to reclaim space. It then encrypts all pre-existing unencrypted data. The cleaner can also be scheduled as per the existing pre-defined cleaner schedule.

    NOTE: The cleaner can take some time to start the encryption process if the system is nearing full system capacity. Encryption starts only after the cleaner processes data slated for cleaning and the related logs. This ensures that space reclamation is prioritized when free space is low and also ensures that data stores are not redundantly encrypted.

Refer to theQoreStor Command Line Interface Reference Guide for information about the CLI commands used for encryption.

Support, maintenance, and troubleshooting

The QoreStor GUI provides various information and tools that can help you better understand the current state of your system and that provide basic, support, maintenance, and troubleshooting functionality.

Using the QoreStor support options

In the QoreStor GUI, the Diagnostics page provides the ability to generate and view diagnostics bundles used by Quest Support to troubleshoot QoreStor problems.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen