Chatee ahora con Soporte
Chat con el soporte

DR Series Software 4.0.0.3 - Administration Guide

Introducing the DR Series system documentation Introducing the DR Series system Setting up the DR Series system Configuring the DR Series system settings Managing containers Managing replications Monitoring the DR Series system Using GlobalView Configuring and using Rapid NFS and Rapid CIFS Configuring and using Rapid Data Access with NetVault Backup and with vRanger Configuring and using RDA with OST
Understanding RDA with OST Guidelines Terminology Supported RDA with OST software and components Best Practices: RDA with OST and the DR Series System Setting client-side optimization Configuring an LSU Installing the RDA with OST plug-in Configuring DR Series system information using NetBackup Backing Up Data From a DR Series System (NetBackup) Using Backup Exec with a DR Series system (Windows) Understanding the OST CLI commands Understanding RDA with OST Plug-In Diagnostic Logs Collecting Diagnostics Using a Linux Utility Guidelines for Gathering Media Server Information
Configuring and using VTL Configuring and Using Encryption at Rest Support, maintenance, and troubleshooting Supported Ports in a DR Series System

Understanding Encryption at Rest

Understanding Encryption at Rest

Data that resides in the DR Series system can be encrypted. When encryption is enabled, the DR Series system uses the Industry standard FIPS 140-2 compliant 256-bit Advanced Encryption Standard (AES) encryption algorithm for encrypting and decrypting user data. The content encryption key is managed by the key manager, which operates in either a Static mode or an Internal mode. In Static mode, a global, fixed key is used to encrypt all data. In internal mode, key lifecycle management is performed in which the keys are periodically rotated. The minimum key rotation period before the content encryption key can be rotated and a new key is generated is 7 days. This rotation period is user-configurable and can be specified in days. A user-defined passphrase is used to generate a pass phrase key, which is used to encrypt the content encryption keys. It is mandatory to define a passphrase to enable encryption. The system supports up to a limit of 1023 different content encryption keys. All streams of a data-store are encrypted or re-encrypted with the same content encryption key. DR Series system statistics report the amount of data encrypted and decrypted bytes consistently.

Encryption at Rest Terminology

Encryption at Rest Terminology

This topic introduces and briefly defines some basic encryption at rest terminology used in the DR Series system documentation.

Encryption at Rest and DR Series Considerations

Encryption at Rest and DR Series Considerations

This topic describes key features and considerations of using Encryption at Rest in the DR Series system.

Key Management — In internal mode there is a maximum limit of 1023 keys. By default when encryption is enabled on the system, the key rotation period is set to 30 days. Users can later change the key rotation period from 7 days to 70 years, while configuring internal mode of encryption.
Performance Impacts — Encryption should have minimal to zero impact on both backup and restore workflows.

It should also have no impact on the replication workflows.

Replication — Encryption must be enabled on both the source and target DR Series systems to store encrypted data on the systems. This means that encrypted data on the source does not automatically imply that when it is replicated to the target it will be encrypted unless encryption is explicitly turned ‘ON’ on the target DR Series system.
Seeding — Encryption must be enabled on both the source and target DR Series systems to store encrypted data on the systems. If seeding is configured for encryption, then the data will be re-encrypted and stored. When the data stream is imported onto the target from the seed device, the stream will be encrypted as per the target policy and stored.
Security Considerations for Passphrase and Key Management

Understanding the encryption process

Understanding the encryption process

The overall steps for how Encryption at Rest is enabled and used in the DR Series system are described below.

Encryption is set at the storage group level.

4.
Encryption of pre-existing data. Any pre-existing data will also be encrypted using the currently set mode of key management. This encryption occurs as part of the system cleaner process. Encryption is scheduled as the last action item in the cleaner workflow. You must launch the cleaner manually using the maintenance command to reclaim space. It then encrypts all pre-existing unencrypted data. The cleaner can also be scheduled as per the existing pre-defined cleaner schedule.

Refer to the DR Series System Command Line Interface Reference Guide for information about the CLI commands used for encryption.

Documentos relacionados
DR Series Software - 4.0.0.3
Administration Guide
Release Notes
Showing 1 to 2 of 2 rows

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación