Chat now with support
Chat with Support

Rapid Recovery 6.1.2 - User Guide

Introduction to Rapid Recovery Core Console Core settings Repositories Encryption keys Protecting machines
About protecting machines with Rapid Recovery Support for dynamic and basic volumes Understanding the Rapid Recovery Agent software installer Deploying Agent to multiple machines simultaneously from the Core Console Using the Deploy Agent Software Wizard to deploy to one or more machines Modifying deploy settings Understanding protection schedules Protecting a machine About protecting multiple machines Settings and functions for protected Exchange servers Settings and functions for protected SQL servers
Managing protected machines Snapshots and recovery points Replication Events Reporting VM export Restoring data Bare metal restore
Bare metal restore for Windows machines Understanding boot CD creation for Windows machines Using the Universal Recovery Console for a BMR Performing a bare metal restore for Linux machines Viewing the recovery progress Starting a restored target server Troubleshooting connections to the Universal Recovery Console Repairing boot problems Performing a file system check on the restored volume
Managing aging data Archiving Cloud storage accounts The Local Mount Utility The Central Management Console Core Console references Command Line Management utility PowerShell module
Prerequisites for using PowerShell Working with commands and cmdlets Rapid Recovery PowerShell module cmdlets Localization Qualifiers
Scripting REST APIs About us Glossary

Understanding encryption keys

The Rapid Recovery Core can encrypt snapshot data for all volumes within any repository using encryption keys that you define and manage from the Core Console.

Instead of encrypting the entire repository, Rapid Recovery lets you specify an encryption key for one or more machines protected on a single Rapid Recovery Core. Each active encryption key creates an encryption domain. There is no limit to the number of encryption keys you can create on the Core.

In a multi-tenant environment (when a single Core hosts multiple encryption domains), data is partitioned and deduplicated within each encryption domain. As a result, Quest recommends using a single encryption key for multiple protected machines if you want to maximize the benefits of deduplication among a set of protected machines.

You can also share encryption keys between Cores using one of three methods. One method is to export an encryption key as a file from one Rapid Recovery Core and import it to another Core. A second method is to archive data secured with an encryption key, and then import that archived data into another Rapid Recovery Core. The third method is to replicate recovery points from a protected machine using an encryption key. After you replicate protected machines, the encryption keys used in the source Core appear as replicated encryption keys in the target Core.

In all cases, once imported, any encryption key appears in the Core with a state of Locked. To access data from a locked encryption key, you must unlock it. For information about importing, exporting, locking or unlocking encryption keys, see the topic Managing encryption keys.

Key security concepts and considerations include:

CAUTION: Rapid Recovery takes a new snapshot whenever you apply an encryption key to a protected machine. A new snapshot is also triggered after you disassociate an encryption key for a protected machine.

Encryption keys generated from the Rapid Recovery Core are text files that contain four parameters, as described in the following table:

Table 35. Components of an encryption key

Component

Description

Name

This value is equivalent to the key name given when adding a key in the Rapid Recovery Core Console.

Key

This parameter consists of 107 randomly generated English alphabetic, numeric, and mathematical operator characters.

ID

The key ID consists of 26 randomly generated upper-case and lower-case English characters.

Comment

The comment contains the text of the key description entered when the key was created.

Applying or removing encryption from a protected machine

You can secure the data protected on your Core at any time by defining an encryption key and applying it to one or more protected machines in your repository. You can apply a single encryption key to any number of protected machines, but any protected machine can only use one encryption key at a time.

The scope of deduplication in Rapid Recovery is limited to protected machines using the same repository and encryption key. Therefore, to maximize the value of deduplication, Quest recommends applying a single encryption key to as many protected machines as is practical. However, there is no limit to the number of encryption keys you can create on the Core. Thus, if legal compliance, security rules, privacy policies, or other circumstances require it, you can add and manage any number of encryption keys. You could then apply each key to only one protected machine, or any set of machines in your repository.

Any time you apply an encryption key to a protected machine, or dissociate an encryption key from a protected machine, Rapid Recovery takes a new base image for that machine upon the next scheduled or forced snapshot. The data stored in that base image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard. There are no known methods for compromising this method of encryption.

If you change the name or passphrase for an existing encryption key currently used to a protected machine, then upon the next scheduled or forced snapshot, Rapid Recovery Core captures and reflects the updated properties of the key. The data stored in that image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard. There are no known methods for compromising this method of encryption.

Once an encryption key is created and applied to a protected machine, there are two concepts involved in removing that encryption. The first is to disassociate the key from the protected machine. Optionally, once the encryption key is disassociated from all protected machines, it can be deleted from the Rapid Recovery Core.

This section includes the following topics:

Associating an encryption key with a protected machine

You can apply an encryption key to a protected machine using either of two methods:

As part of protecting a machine. When using this method, you can apply encryption to one or multiple machines simultaneously. This method lets you add a new encryption key, or apply an existing key to the selected machine or machines.

To use encryption when first defining protection for a machine, you must select the advanced options in the relevant Protect Machines Wizard. This selection adds an Encryption page to the wizard workflow. From this page, select Enable encryption, and then select an existing encryption key or specify parameters for a new key. For more information, see Protecting a machine or About protecting multiple machines, respectively.

By modifying the configuration settings for a machine. This method applies an encryption key to one protected machine at a time. There are two approaches for modifying configuration settings for a machine in the Rapid Recovery UI:
Modify the configuration settings for a specific protected machine. The encryption key you want to use for this approach must already exist on the Rapid Recovery Core, be a universal key type, and must be in an unlocked state. Encryption is part of the General settings. For more information, see Viewing and modifying protected machine settings.
Click the [Not Encrypted] Not Encrypted icon on the Protected Machines page. Using this approach you can create and apply a new encryption key, or assign an existing unlocked universal key to the specified protected machine. For more information, see Applying an encryption key from the Protected Machines page.

Applying an encryption key from the Protected Machines page

Once an encryption key has been added to a Rapid Recovery Core, it can be used for any number of protected machines.

If you select an encryption key during the initial protection of one or more machines, that key is automatically applied to any machines you protect using that wizard. In such cases, this procedure is not required.

Perform this procedure:

CAUTION: After you apply an encryption key to a protected machine, Rapid Recovery takes a new base image for that machine upon the next scheduled or forced snapshot.
1.
Navigate to the Rapid Recovery Core and click Protected Machines.

The Protected Machines page appears, listing all the machines protected by this Core. An open lock [Unlocked] appears for any machine that does not have an encryption key applied. A closed lock [Locked] indicates that a protected machine has encryption applied.

The Encryption Configuration dialog box appears.

If you want to apply an existing encryption key to this machine, select Encrypt data using Core-based encryption with an existing key, and from the drop-down menu, select the appropriate key. Click OK to confirm.
If you want to change an existing encryption key to a different universal, unlocked key, select Encrypt data using Core-based encryption with a new key, and from the drop-down menu, select the appropriate key. Click OK to confirm.
If you want to create a new encryption key and apply it to this protected machine, select Encrypt data using Core-based encryption with a new key. Then enter the details for the key as described in the following table.

Table 36. New encryption key details

Text Box

Description

Name

Enter a name for the encryption key.

Encryption key names must contain between 1 and 64 alphanumeric characters. Do not use prohibited characters or prohibited phrases.

Description

Enter a descriptive comment for the encryption key. This information appears in the Description field when viewing a list of encryption keys in the Rapid Recovery Core Console. Descriptions may contain up to 254 characters.

Best practice is to avoid using prohibited characters and prohibited phrases.

Passphrase

Enter a passphrase used to control access.

Best practice is to avoid using prohibited characters.

Record the passphrase in a secure location. Quest Support cannot recover a passphrase. Once you create an encryption key and apply it to one or more protected machines, you cannot recover data if you lose the passphrase.

Confirm Passphrase

Re-enter the passphrase. It is used to confirm the passphrase entry.

4.
Click OK.

The dialog box closes. The encryption key you specified has been applied to future backups for this protected machine, and the lock now appears as closed.

Optionally, if you want the encryption key applied immediately, force a snapshot. For more information, see Forcing a snapshot.

CAUTION: Rapid Recovery uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256-bit keys. While using encryption is optional, Quest recommends that you establish an encryption key, and that you protect the passphrase you define. Store the passphrase in a secure location as it is critical for data recovery. Without a passphrase, data recovery is not possible.
Related Documents