Encryption Keys Best Practice and Usage (4039570)

The Rapid Recovery Core can encrypt snapshot data for all volumes within any repository using encryption keys that you define and manage from the Core Console.

Instead of encrypting the entire repository, Rapid Recovery lets you specify an encryption key for one or more machines protected on a single Rapid Recovery Core. Each active encryption key creates an encryption domain. There is no limit to the number of encryption keys you can create on the Core.

Key security concepts and considerations include:

• Encryption is performed using 256 Bit Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode that is compliant with SHA-3.
• Deduplication operates within an encryption domain to ensure privacy.
• Encryption is performed without impact on performance.
• You can apply a single encryption key to any number of protected machines, but any protected machine can only have one encryption key applied at a time.
• You can add, remove, import, export, modify, and delete encryption keys that are configured on the Rapid Recovery Core.

For more information on this topic, please see the Rapid Recovery Basic Administration Course - Web Based Training (WBT).

1. As part of protecting a machine.
   • When using this method, you can apply encryption to one or multiple machines simultaneously. This method lets you add a new encryption key, or apply an existing key to the selected machine or machines. To use encryption when first defining protection for a machine, you must select the advanced options in the relevant Protect Machines Wizard. This selection adds an Encryption page to the wizard workflow. From this page, select Enable encryption, and then select an existing encryption key or specify parameters for a new key. For more information, see Protecting a machine or About protecting multiple machines, respectively.
2. By modifying the configuration settings for a machine.
   • This method applies an encryption key to one protected machine at a time.
   • There are two approaches for modifying configuration settings for a machine in the Rapid Recovery UI:•
     • Modify the configuration settings for a specific protected machine. The encryption key you want to use for this approach must already exist on the Rapid Recovery Core, be a universal key type, and must be in an unlocked state. Encryption is part of the General settings. 
     • Click the Not Encrypted icon on the Protected Machines page. Using this approach you can create and apply a new encryption key, or assign an existing unlocked universal key to the specified protected machine. For more information, see Applying an encryption key from the Machines page.

Multi -tenant Cores: In a multi-tenant environment (when a single Core hosts multiple encryption domains), data is partitioned and deduplicated within each encryption domain. As a result, It is recommended to use a single encryption key for multiple protected machines if you want to maximize the benefits of deduplication among a set of protected machines.

You can also share encryption keys between Cores using one of three methods.

1. One method is to export an encryption key as a file from one Rapid Recovery Core and import it to another Core.
2. A second method is to archive data secured with an encryption key, and then import that archived data into another Rapid Recovery Core.
3. The third method is to replicate recovery points from a protected machine using an encryption key. After you replicate protected machines, the encryption keys used in the source Core appear as replicated encryption keys in the target Core.

In all cases, once imported, any encryption key appears in the Core with a state of Locked. To access data from a locked encryption key, you must unlock it. Encryption keys may contain a state of unlocked or locked. An unlocked encryption key can be applied to a protected machine to secure the backup data saved for that machine in the repository. From a Rapid Recovery Core using an unlocked encryption key, you can also recover data from a recovery point. You cannot use a locked encryption key to recover data or to apply to a protected machine. You must first provide the passphrase, thus unlocking the key. The steps to unlock an encryption key are located in the User Guide in the section "Unlocking an encryption key"