This section describes the process of securing data in your environment using encryption keys and machine-level snapshot encryption settings.
Topics include:
Introduction to Rapid Recovery
The Core Console
Accessing the Rapid Recovery Core Console
Understanding the Quick Start Guide
Navigating the Rapid Recovery Core Console
Viewing the Protected Machines menu
Repositories
Viewing summary information for a protected machine
Viewing replicated machines from the navigation menu
Viewing the Recovery Points Only menu
Viewing the Custom Groups menu
Using the Error dialog box
Viewing the Summary pane
Viewing Volumes on a protected machine
Viewing replication information
Viewing the Exchange Server Information pane
Viewing the SQL Server Information pane
Viewing summary information for a host
Viewing recovery points for a machine
Viewing events for a protected machine
Viewing reports for a protected machine
Understanding repositories
Deduplication in Rapid Recovery
Managing a DVM repository
Managing an Azure repository
About DVM repository optimization
Connecting to an existing repository
Viewing or modifying repository details
Checking a repository
Deleting a repository
Core settings
Core settings key functions
Rapid Recovery Core settings
Protecting machines
Configuring Core general settings
Configuring update settings
Understanding nightly jobs
Modifying transfer queue settings
Adjusting client timeout settings
Understanding deduplication cache or dictionary size and storage locations
Configuring Replay engine settings
Configuring deployment settings
Core-level tools
Configuring database connection settings
Modifying loca database connection settings
Managing SMTP server settings
Configuring cloud account connection settings
Managing report settings
Managing Core SQL attachability settings
Understanding Core jobs
Understanding SNMP settings
Configuring vSphere settings
Managing VMware proxy settings
Configuring vFoglight settings
About protecting machines with Rapid Recovery
Managing protected machines
Factors when choosing agent-based or agentless protection
About protecting Linux machines with Rapid Recovery
About protecting Oracle database servers
Understanding the Rapid Recovery Agent software installer
Deploying Agent to multiple machines simultaneously from the Core Console
Using the Deploy Agent Software Wizard to deploy to one or more machines
Entering or editing credentials for Oracle databases
Enabling archive log mode and adding VSS writer for protected Oracle databases
About truncating Oracle logs
Manually truncating Oracle database logs
About managing Exchange and SQL servers in Rapid Recovery Core
About protecting server clusters
Understanding Rapid Snap for Virtual
Benefits of installing hypervisor tools for agentless protection
Understanding crash-consistent and application-consistent backups
Support for Hyper-V guest cluster
Deploying to machines on an Active Directory domain
Deploying to machines on a VMware vCenter/ESXi virtual host
Deploying an upgrade of the Rapid Recovery Agent software to protected machines
Deploying to machines manually
Verifying the deployment to multiple machines
Modifying deploy settings
Understanding protection schedules
Protecting a machine
Protecting a cluster
Creating custom protection schedules in Simple Mode
Creating multiple protection schedule periods in Advanced Mode
Pausing and resuming protection
About protecting multiple machines
Protecting multiple machines on an Active Directory domain
Protecting multiple machines on a VMware vCenter/ESXi virtual host
Protecting vCenter/ESXi virtual machines using agentless protection
Protecting multiple machines on a Hyper-V virtual host
Protecting Hyper-V virtual machines using agentless protection
Protecting multiple machines manually
Monitoring the protection of multiple machines
Enabling application support
Settings and functions for protected Exchange servers
Setting credentials for an Exchange server machine
Forcing log truncation for an Exchange machine
About Exchange database mountability checks
Forcing a mountability check of an Exchange database
Forcing a checksum check of Exchange database files
Settings and functions for protected SQL servers
About managing protected machines
Viewing protected machines
Configuring machine settings
Snapshots and recovery points
Viewing and modifying protected machine settings
Changing the settings for a Hyper-V host or node
Changing the settings for a Hyper-V protected virtual machine
Changing the vSphere settings for a VMware protected virtual machine
Understanding Active Block Mapping
About modifying transfer settings
Customizing nightly jobs for a protected machine
Understanding system information for a protected machine
Managing machines
Removing a machine
Removing a cluster from protection
Viewing license information on a machine
Downloading and viewing the log file for a protected machine
Converting a protected cluster node to a protected machine
Understanding custom groups
Managing snapshots and recovery points
Viewing the recovery points page of a protected machine
Mounting a recovery point
Dismounting recovery points
Working with Linux recovery points
Forcing a snapshot
Removing recovery points
Deleting an orphaned recovery point chain
Migrating recovery points manually to a different repository
Managing privacy
General Data Protection Regulation compliance
How Rapid Recovery uses personal information
Non-phone-home license restrictions
Obtaining and using non-phone-home licenses
Encryption
Understanding encryption keys
Encrypting data in transport over a network
Applying or removing encryption keys
Credentials Vault
Associating an encryption key with a protected machine
Applying an encryption key from the Protected Machines page
Disassociating an encryption key from a protected machine
Managing encryption keys
Understanding the Credentials Vault
Adding accounts to the Credentials Vault
Viewing or changing accounts saved in the vault
Using credentials from the vault
Replication
Replication with Rapid Recovery
Recovery point chains and orphans
When replication begins
Determining your seeding needs and strategy
Performance considerations for replicated data transfer
Viewing incoming and outgoing replication
Configuring replication
Replicating to a self-managed target Core
Replicating to a third-party target Core
Events
Submitting a replication request to a third-party service provider
Reviewing a replication request from a customer
Approving a replication request
Denying a replication request
Ignoring a replication request from a customer
Adding a machine to existing replication
Consuming the seed drive on a target Core
Managing replication settings
Scheduling replication
Using the Copy function to create a seed drive
Monitoring replication
Pausing and resuming replication
Forcing replication
Managing settings for outgoing replication
Changing target Core settings
Setting replication priority for a protected machine
Removing outgoing replication from the source Core
Removing incoming replication from the target Core
Recovering replicated data
Viewing events using tasks, alerts, and journal pages
Reporting
Viewing tasks
Viewing alerts
Viewing a journal of all logged events
Navigating between tasks, alerts, and the events journal
Understanding event notifications in Rapid Recovery
Configuring event settings
About Rapid Recovery reports
Generating a report from the Core Console
Managing scheduled reports from the Core Console
Using the Reports menu
Using the Reports toolbar
Understanding the Job report
Understanding the Job Summary report
Understanding the Failure report
Understanding the Summary report
Understanding the Repository report
Understanding the Classic Summary report
VM export
Exporting to virtual machines using Rapid Recovery
Exporting data to an ESXi virtual machine
Exporting data to a VMware Workstation virtual machine
Exporting data to a Hyper-V virtual machine
Exporting data to a VirtualBox virtual machine
Exporting data to an Azure virtual machine
Restoring data
Working with Microsoft Azure
Managing exports
Azure interface disclaimer
Country codes used on the Azure website
Before virtual export to Azure
About Azure storage accounts
Creating an Azure storage account
Creating a container in an Azure storage account
Creating an Azure Active Directory web application
Obtaining the application ID for an Azure web application
Obtaining Azure subscription information
Obtaining the directory ID for your Azure web application
Obtaining a secret key for your Azure web application
Microsoft Azure documentation
Exporting and deploying VMs for Azure
About restoring data with Rapid Recovery
Understanding Live Recovery
Restoring data from recovery points
r_VM_configuration_backup_and_restore_for_VMware_and_Hyper-V
About the file search and restore feature
About restoring volumes from a recovery point
Bare metal restore
Restoring volumes from a recovery point
Restoring a directory or file using Windows Explorer
Restoring a directory or file and preserving permissions using Windows Explorer
Restoring clusters and cluster nodes
Restoring from an attached archive
Mail Restore in Rapid Recovery
About bare metal restore
Differences in bare metal restore for Windows and Linux machines
Understanding boot CD creation for Windows machines
Managing aging data
Archiving
Understanding driver injection in a boot CD
Using UltraVNC for remote access
Creating a boot CD ISO image
Transferring the boot CD ISO image to media
Loading the boot CD and starting the target machine
Managing a Linux boot image
About the boot ISO image for Linux
Downloading a boot ISO image for Linux
Saving the Live DVD ISO image to media
Loading the Live DVD and starting the target machine
Connecting to the BMR target from the Rapid Recovery Core
Performing a bare metal restore using the Restore Machine Wizard
Using the Universal Recovery Console for a BMR
About the Universal Recovery Console tools
Loading drivers using the Universal Recovery Console
Performing a bare metal restore for Linux machines
Loading drivers in the Universal Recovery Console using portable media
Loading a driver in the URC using Chromium
Selecting a recovery point and initiating a BMR
About disk mapping for a bare metal restore
Performing a BMR from an archive
Loading drivers to the operating system
Managing Linux partitions
Verifying a bare metal restore
Creating partitions on the destination drive
Formatting partitions on the destination drive
Mounting partitions from the command line
Launching a bare metal restore for Linux
Starting the Screen utility
Launching a bare metal restore for a Linux machine using the command line
Restoring volumes for a Linux machine using the command line
Understanding archives
Cloud accounts
Archive creation and storage options
Amazon storage options and archiving
Recovery point chain options for archives
Methods to access an archive
Uses for archives
Creating an archive
Editing a scheduled archive
Pausing or resuming a scheduled archive
Forcing an archive job
Checking an archive
Attaching an archive
Detaching an archive
Importing an archive
About cloud accounts
Considering cloud storage options
Adding a cloud account
Editing a cloud account
Removing a cloud account
Core Console references
REST APIs
Intended audience
Working with Rapid Recovery REST APIs
Downloading and viewing Core and Agent APIs
Recommended additional reading
Glossary
Encryption
Encryption
Understanding encryption keys
The Rapid Recovery Core can encrypt snapshot data for all volumes within any repository using encryption keys that you define and manage from the Core Console.
Instead of encrypting the entire repository, Rapid Recovery lets you specify an encryption key for one or more machines protected on a single Rapid Recovery Core. Each active encryption key creates an encryption domain. There is no limit to the number of encryption keys you can create on the Core.
In a multi-tenant environment (when a single Core hosts multiple encryption domains), data is partitioned and deduplicated within each encryption domain. As a result, Quest recommends using a single encryption key for multiple protected machines if you want to maximize the benefits of deduplication among a set of protected machines.
You can also share encryption keys between Cores using one of three methods. One method is to export an encryption key as a file from one Rapid Recovery Core and import it to another Core. A second method is to archive data secured with an encryption key, and then import that archived data into another Rapid Recovery Core. The third method is to replicate recovery points from a protected machine using an encryption key. After you replicate protected machines, the encryption keys used in the source Core appear as replicated encryption keys in the target Core.
In all cases, once imported, any encryption key appears in the Core with a state of Locked. To access data from a locked encryption key, you must unlock it. For information about importing, exporting, locking or unlocking encryption keys, see the topic Managing encryption keys.
Key security concepts and considerations include:
- Encryption is performed using 256-bit Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode that is compliant with SHA-3.
- Deduplication operates within an encryption domain to ensure privacy.
- Encryption is performed without impact on performance.
- You can apply a single encryption key to any number of protected machines, but any protected machine can only have one encryption key applied at a time.
- You can add, remove, import, export, modify, and delete encryption keys that are configured on the Rapid Recovery Core.
Caution: Rapid Recovery takes a new snapshot whenever you apply an encryption key to a protected machine. A new snapshot is also triggered after you disassociate an encryption key for a protected machine.
Encryption keys generated from the Rapid Recovery Core are text files that contain four parameters, as described in the following table:
| Component | Description |
|---|---|
| Name | This value is equivalent to the key name given when adding a key in the Rapid Recovery Core Console. |
| Key | This parameter consists of 107 randomly generated English alphabetic, numeric, and mathematical operator characters. |
| ID | The key ID consists of 26 randomly generated upper-case and lower-case English characters. |
| Comment | The comment contains the text of the key description entered when the key was created. |
Encrypting data in transport over a network
Rapid Recovery Core includes an encryption feature. You can encrypt all data in transport over a network. Quest recommends enabling this encryption setting when data between your Core and protected machines (or between two Cores such as for replication) must flow over the public or untrusted networks such as the internet.
While there is only a small performance cost involved in enabling this encryption, if your Cores and protected machines are within the confines of a private local area network, you can disable this option with confidence.
Please read the following information and adjust your environment accordingly.
By default, when protecting a machine using the Protect Machine wizard or the Protect Multiple Machines wizard, encryption for the data in transport over a network is enabled. If you select advanced options for the wizard, you can view the Encryption options. On the Encryption page of the wizard, if preferred, you can clear the option Encrypt the data in transport over a network.
|
|
NOTE: If you do not select Advanced options in the wizard, encryption for data in transport is enabled nevertheless. |
After completing the relevant protection wizard, you can always enable or disable encryption for snapshot data by changing transfer settings at the machine level. Select the protected machine, click Settings, and under Transfer settings, for the setting Encrypt snapshot data, select Yes to enable encryption or select No to disable encryption during transport. For specific details, see Viewing and modifying protected machine settings.
Applying or removing encryption keys
You can secure the data protected on your Core at any time by defining an encryption key and applying it to one or more protected machines in your repository. You can apply a single encryption key to any number of protected machines, but any protected machine can only use one encryption key at a time.
The scope of deduplication in Rapid Recovery is limited to protected machines using the same repository and encryption key. Therefore, to maximize the value of deduplication, Quest recommends applying a single encryption key to as many protected machines as is practical. However, there is no limit to the number of encryption keys you can create on the Core. Thus, if legal compliance, security rules, privacy policies, or other circumstances require it, you can add and manage any number of encryption keys. You could then apply each key to only one protected machine, or any set of machines in your repository.
Any time you apply an encryption key to a protected machine, or dissociate an encryption key from a protected machine, Rapid Recovery takes a new base image for that machine upon the next scheduled or forced snapshot. The data stored in that base image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard. There are no known methods for compromising this method of encryption.
If you change the name or passphrase for an existing encryption key currently used for a protected machine, then upon the next scheduled or forced snapshot, Rapid Recovery Core captures and reflects the updated properties of the key. The data stored in that image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard.
Once an encryption key is created and applied to a protected machine, there are two concepts involved in removing that encryption. The first is to disassociate the key from the protected machine. Optionally, once the encryption key is disassociated from all protected machines, it can be deleted from the Rapid Recovery Core.
This section includes the following topics: