Chat now with support
Chat with Support

Rapid Recovery 6.6 - User Guide

Introduction to Rapid Recovery The Core Console Repositories Core settings Protecting machines
About protecting machines with Rapid Recovery Understanding the Rapid Recovery Agent software installer Deploying Agent to multiple machines simultaneously from the Core Console Using the Deploy Agent Software Wizard to deploy to one or more machines Modifying deploy settings Understanding protection schedules Protecting a machine About protecting multiple machines Enabling application support Settings and functions for protected Exchange servers Settings and functions for protected SQL servers
Managing protected machines Snapshots and recovery points Managing privacy Encryption Credentials Vault Replication Events Reporting VM export Restoring data Bare metal restore
About bare metal restore Differences in bare metal restore for Windows and Linux machines Understanding boot CD creation for Windows machines Managing a Linux boot image Performing a bare metal restore using the Restore Machine Wizard Using the Universal Recovery Console for a BMR Performing a bare metal restore for Linux machines Verifying a bare metal restore
Managing aging data Archiving Cloud accounts Core Console references REST APIs Glossary

Encryption

This section describes the process of securing data in your environment using encryption keys and machine-level snapshot encryption settings.

Topics include:

Understanding encryption keys

The Rapid Recovery Core can encrypt snapshot data for all volumes within any repository using encryption keys that you define and manage from the Core Console.

Instead of encrypting the entire repository, Rapid Recovery lets you specify an encryption key for one or more machines protected on a single Rapid Recovery Core. Each active encryption key creates an encryption domain. There is no limit to the number of encryption keys you can create on the Core.

In a multi-tenant environment (when a single Core hosts multiple encryption domains), data is partitioned and deduplicated within each encryption domain. As a result, Quest recommends using a single encryption key for multiple protected machines if you want to maximize the benefits of deduplication among a set of protected machines.

You can also share encryption keys between Cores using one of three methods. One method is to export an encryption key as a file from one Rapid Recovery Core and import it to another Core. A second method is to archive data secured with an encryption key, and then import that archived data into another Rapid Recovery Core. The third method is to replicate recovery points from a protected machine using an encryption key. After you replicate protected machines, the encryption keys used in the source Core appear as replicated encryption keys in the target Core.

In all cases, once imported, any encryption key appears in the Core with a state of Locked. To access data from a locked encryption key, you must unlock it. For information about importing, exporting, locking or unlocking encryption keys, see the topic Managing encryption keys.

Key security concepts and considerations include:

  • Encryption is performed using 256-bit Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode that is compliant with SHA-3.
  • Deduplication operates within an encryption domain to ensure privacy.
  • Encryption is performed without impact on performance.
  • You can apply a single encryption key to any number of protected machines, but any protected machine can only have one encryption key applied at a time.
  • You can add, remove, import, export, modify, and delete encryption keys that are configured on the Rapid Recovery Core.

    Caution: Rapid Recovery takes a new snapshot whenever you apply an encryption key to a protected machine. A new snapshot is also triggered after you disassociate an encryption key for a protected machine.

Encryption keys generated from the Rapid Recovery Core are text files that contain four parameters, as described in the following table:

Table 80: Components of an encryption key
Component Description
Name This value is equivalent to the key name given when adding a key in the Rapid Recovery Core Console.
Key This parameter consists of 107 randomly generated English alphabetic, numeric, and mathematical operator characters.
ID The key ID consists of 26 randomly generated upper-case and lower-case English characters.
Comment The comment contains the text of the key description entered when the key was created.

Encrypting data in transport over a network

Rapid Recovery Core includes an encryption feature. You can encrypt all data in transport over a network. Quest recommends enabling this encryption setting when data between your Core and protected machines (or between two Cores such as for replication) must flow over the public or untrusted networks such as the internet.

While there is only a small performance cost involved in enabling this encryption, if your Cores and protected machines are within the confines of a private local area network, you can disable this option with confidence.

Please read the following information and adjust your environment accordingly.

By default, when protecting a machine using the Protect Machine wizard or the Protect Multiple Machines wizard, encryption for the data in transport over a network is enabled. If you select advanced options for the wizard, you can view the Encryption options. On the Encryption page of the wizard, if preferred, you can clear the option Encrypt the data in transport over a network.

NOTE: If you do not select Advanced options in the wizard, encryption for data in transport is enabled nevertheless.

After completing the relevant protection wizard, you can always enable or disable encryption for snapshot data by changing transfer settings at the machine level. Select the protected machine, click Settings, and under Transfer settings, for the setting Encrypt snapshot data, select Yes to enable encryption or select No to disable encryption during transport. For specific details, see Viewing and modifying protected machine settings.

Applying or removing encryption keys

You can secure the data protected on your Core at any time by defining an encryption key and applying it to one or more protected machines in your repository. You can apply a single encryption key to any number of protected machines, but any protected machine can only use one encryption key at a time.

The scope of deduplication in Rapid Recovery is limited to protected machines using the same repository and encryption key. Therefore, to maximize the value of deduplication, Quest recommends applying a single encryption key to as many protected machines as is practical. However, there is no limit to the number of encryption keys you can create on the Core. Thus, if legal compliance, security rules, privacy policies, or other circumstances require it, you can add and manage any number of encryption keys. You could then apply each key to only one protected machine, or any set of machines in your repository.

Any time you apply an encryption key to a protected machine, or dissociate an encryption key from a protected machine, Rapid Recovery takes a new base image for that machine upon the next scheduled or forced snapshot. The data stored in that base image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard. There are no known methods for compromising this method of encryption.

If you change the name or passphrase for an existing encryption key currently used for a protected machine, then upon the next scheduled or forced snapshot, Rapid Recovery Core captures and reflects the updated properties of the key. The data stored in that image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard.

Once an encryption key is created and applied to a protected machine, there are two concepts involved in removing that encryption. The first is to disassociate the key from the protected machine. Optionally, once the encryption key is disassociated from all protected machines, it can be deleted from the Rapid Recovery Core.

This section includes the following topics:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating