Chat now with support
Chat with Support

Rapid Recovery 6.3 - User Guide

Introduction to Rapid Recovery The Core Console Repositories Core settings Managing privacy Encryption Protecting machines
About protecting machines with Rapid Recovery Understanding the Rapid Recovery Agent software installer Deploying Agent to multiple machines simultaneously from the Core Console Using the Deploy Agent Software Wizard to deploy to one or more machines Modifying deploy settings Understanding protection schedules Protecting a machine About protecting multiple machines Enabling application support Settings and functions for protected Exchange servers Settings and functions for protected SQL servers
Managing protected machines Credentials Vault Snapshots and recovery points Replication Events Reporting VM export Restoring data Bare metal restore
About bare metal restore BMR Windows and Linux Understanding boot CD creation for Windows machines Managing a Linux boot image Performing a bare metal restore using the Restore Machine Wizard Using the Universal Recovery Console for a BMR Performing a bare metal restore for Linux machines Verifying a bare metal restore
Managing aging data Archiving Cloud accounts Core Console references REST APIs Glossary

Managing encryption keys

To manage encryption keys for the Rapid Recovery Core, from the icon bar, click [More] (More) and then select Encryption Keys. The Encryption Keys page appears. For each encryption key added to your Rapid Recovery Core (if any have been defined yet), you see the information described in the following table.

Table 37: Information about each encryption key
UI Element Description
Select Item For each encryption key, you can select the checkbox to perform actions from the list of menu options above the table.
Name The name associated with the encryption key.
Thumbprint This parameter is a 26-character alphabetic string of randomly generated English upper and lower case letters that helps uniquely identify each encryption key.
Type Type describes the origin point of an encryption key and its ability to be applied. An encryption key can contain one of two possible types:

Universal. Universal type is the default condition when you create an encryption key. A key with a type of Universal, combined with a state of Unlocked, indicates that the key can be applied to a protected machine. You cannot manually lock a universal key type; instead, you must first change its type as described in the procedure Changing encryption key types.

Replication. When a protected machine in a source Core has encryption enabled, and recovery points for that machine are replicated in a target Core, any encryption keys used in the source appear automatically in the target Core with a type of Replication. The default state after receiving a replicated key is locked. You can unlock an encryption key with a type of Replication by providing the passphrase. If a key has a type of Unlocked, you can manually lock it. For more information, see the topic Unlocking an encryption key.

State The state indicates whether an encryption key can be used. Two possible states include:
  • Unlocked. An Unlocked state indicates that the key can be used immediately. For example, you can encrypt snapshots for a protected machine, or perform data recovery from a replicated recovery point on the target Core.
  • Locked. A Locked state indicates that the key cannot be used until it is unlocked by providing the passphrase. Locked is the default state for a newly imported or replicated encryption key.

If the state of an encryption key is locked, it must be unlocked before it can be used.

If you previously unlocked a locked encryption key, and the duration to remain unlocked has expired, the state changes from unlocked to locked. After the key locks automatically, you must unlock the key again in order to use it. For more information, see the topic Unlocking an encryption key.

Description The description is an optional field that is recommended to provide useful information about the encryption key such as its intended use or a passphrase hint.

At the top level of the Encryption Keys pane, you can add an encryption key or import a key using a file exported from another Rapid Recovery Core. You can also delete keys selected in the summary table.

Once an encryption key exists for a Core, you can manage the existing keys by editing the name or description properties; changing the passphrase; unlocking a locked encryption key; or removing the key from the Rapid Recovery Core. You can also export a key to a file, which can be imported into another Rapid Recovery Core.

When you add an encryption key from the Encryption Keys page, the key appears in the list of encryption keys, but is not applied to a specific protected machine. For information on how to apply an encryption key you create from the Encryption Keys pane, or to delete a key entirely from the Rapid Recovery Core, see Applying or removing encryption keys.

From the Encryption Keys pane, you can manage security for the backup data saved to the Core for any protected machine in your repository by doing the following:

Adding an encryption key

Rapid Recovery uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256-bit keys. While using encryption is optional, Quest recommends that you establish an encryption key, and that you protect the passphrase you define.

Caution: Store the passphrase in a secure location. Without a passphrase, you cannot recover data from encrypted recovery points.

After an encryption key is defined, you can use it to safeguard your data. Encryption keys can be used by any number of protected machines.

This step describes how to add an encryption key from the Rapid Recovery Core Console. This process does not apply the key to any machines currently being protected on the Core. You can also add an encryption key during the process of protecting a machine. For more information on adding encryption as part of protecting one machine, see Protecting a machine. For more information on adding encryption to two or more machines while initially protecting them, see About protecting multiple machines.

Complete the steps in this procedure to add an encryption key.

  1. Navigate to the Rapid Recovery Core Console.
  2. On the icon bar, click [More] (More) and then select Encryption Keys.
    The Encryption Keys page appears.
  3. Click Add Encryption Key.

    The Create Encryption Key dialog box appears.

  4. In the Create Encryption Key dialog box, enter the details for the key as described in the following table.
    Table 38: Create encryption key details.
    Text Box Description

    Name

    Enter a name for the encryption key.

    Encryption key names must contain between 1 and 64 alphanumeric characters. Do not use prohibited characters and prohibited phrases.

    Description

    Enter a comment for the encryption key.

    This information appears in the Description field when viewing encryption keys from the Core Console. You can enter up to 254 characters.

    Best practice is to avoid using prohibited characters and prohibited phrases.

    Passphrase

    Enter a passphrase used to control access.

    Best practice is to avoid usingprohibited characters.

    Caution: Record the passphrase in a secure location. Quest Data Protection Support cannot recover a passphrase. Once you create an encryption key and apply it to one or more protected machines, you cannot recover data if you lose the passphrase.

    Confirm passphrase

    Re-enter the passphrase. It is used to confirm the passphrase entry.

  5. Click OK.

    The dialog box closes and the encryption key you created is visible on the Encryption Keys page.

  6. If you want to apply the encryption key to a protected machine, see Applying an encryption key from the Protected Machines page.

Importing an encryption key

You can import an encryption key from another Rapid Recovery Core and use that key to encrypt data for a protected machine in your Core. To import the key, you must be able to access it from the Core machine, either locally or through your network. You must also know the passphrase for the encryption key.

Complete the steps in this procedure to import an encryption key.

NOTE: This procedure does not apply the key to any protected machines. For more information on applying the key, see Applying an encryption key from the Protected Machines page.

  1. Navigate to the Rapid Recovery Core Console.
  2. On the icon bar, click [More] (More) and then select [Encryption Keys] Encryption Keys.
    The Encryption Keys page appears.
  3. Click [Import]
    Import.

    The File Upload dialog box appears.

  4. In theFile Upload dialog box, navigate to the network or local directory containing the encryption key you want to import.
    For example, navigate to the Downloads folder for the logged-in user.

    The key filename starts with "EncryptionKey-," followed by the key ID, and ending in the file extension .key. For example, a sample encryption key name is EncryptionKey-RandomAlphabeticCharacters.key.

  5. Select the key you want to import, and then click Open.
  6. In the Import Key dialog box, click OK.

    The dialog box closes and the encryption key you imported is visible on the Encryption Keys page. If the encryption key was used to protect a volume before it was exported, the state of the key is Locked.

Unlocking an encryption key

Encryption keys may contain a state of unlocked or locked. An unlocked encryption key can be applied to a protected machine to secure the backup data saved for that machine in the repository. From a Rapid Recovery Core using an unlocked encryption key, you can also recover data from a recovery point.

When you import an encryption key into a Rapid Recovery Core, its default state is Locked. This is true regardless of whether you explicitly imported the key, or whether the encryption key was added to the Rapid Recovery Core either by replicating encrypted protected machines or by importing an archive of encrypted recovery points.

For encryption keys added to the Rapid Recovery Core by replication only, when you unlock a key, you can specify a duration of time (in hours, days, or months) for the encryption key to remain unlocked. Each day is based on a 24-hour period, starting from the time the unlock request is saved to the Rapid Recovery Core. For example, if the key is unlocked at 11:24 AM on Tuesday and the duration selected is 2 days, the key automatically re-locks at 11:24 AM that Thursday.

NOTE: You cannot use a locked encryption key to recover data or to apply to a protected machine. You must first provide the passphrase, thus unlocking the key.

You can also lock an unlocked encryption key, ensuring that it cannot be applied to any protected machine until it is unlocked. To lock an encryption key with a state of Universal, you must first change its type to Replicated.

If an unlocked encryption key is currently being used to protect a machine in the Core, you must first disassociate that encryption key from the protected machine before you can lock it.

Complete the steps in this procedure to unlock a locked encryption key.

  1. Navigate to the Rapid Recovery Core Console.
  2. On the icon bar, click [More] (More) and then select Encryption Keys.
    The Encryption Keys page appears. The State column indicates which encryption keys are locked.
  3. Locate the encryption key you want to unlock, click its drop-down menu [More], and select Unlock.

    The Unlock Encryption Key dialog box appears.

  4. In the dialog box, in the Passphrase text box, enter the passphrase to unlock this key.
  5. To specify the length of time that the key remains unlocked, in the Duration option, do one of the following:
    • To specify that the key remains unlocked until you explicitly lock it, select Until locked manually.
    • To specify that the key remains locked for a duration which you configure in hours, days, or months, do the following:
      • Select the number field and enter a value between 1 and 999.
      • Specify the duration number as hours, days, or months, respectively.
      • Then click OK.

        This option is available for encryption keys added by replication.

        The dialog box closes and the changes for the selected encryption key are visible on the Encryption Keys page.

  6. To specify that the key remains locked until a date and time that you specify, do the following:
    • Select the Until option.
    • In the text field or using the calendar and clock widgets, explicitly specify the data and time you want the encryption key to lock.
    • Then click OK.

      This option is available for encryption keys added by replication.

      The dialog box closes and the changes for the selected encryption key are visible on the Encryption Keys page.

Related Documents