You can secure the data protected on your Core at any time by defining an encryption key and applying it to one or more protected machines in your repository. You can apply a single encryption key to any number of protected machines, but any protected machine can only use one encryption key at a time.
The scope of deduplication in Rapid Recovery is limited to protected machines using the same repository and encryption key. Therefore, to maximize the value of deduplication, Quest recommends applying a single encryption key to as many protected machines as is practical. However, there is no limit to the number of encryption keys you can create on the Core. Thus, if legal compliance, security rules, privacy policies, or other circumstances require it, you can add and manage any number of encryption keys. You could then apply each key to only one protected machine, or any set of machines in your repository.
Any time you apply an encryption key to a protected machine, or dissociate an encryption key from a protected machine, Rapid Recovery takes a new base image for that machine upon the next scheduled or forced snapshot. The data stored in that base image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard. There are no known methods for compromising this method of encryption.
If you change the name or passphrase for an existing encryption key currently used for a protected machine, then upon the next scheduled or forced snapshot, Rapid Recovery Core captures and reflects the updated properties of the key. The data stored in that image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard.
Once an encryption key is created and applied to a protected machine, there are two concepts involved in removing that encryption. The first is to disassociate the key from the protected machine. Optionally, once the encryption key is disassociated from all protected machines, it can be deleted from the Rapid Recovery Core.
This section includes the following topics:
You can apply an encryption key to a protected machine using either of two methods:
To use encryption when first defining protection for a machine, you must select the advanced options in the relevant Protect Machines Wizard. This selection adds an Encryption page to the wizard workflow. From this page, select Enable encryption, and then select an existing encryption key or specify parameters for a new key. For more information, see Protecting a machine or About protecting multiple machines, respectively.
Once an encryption key has been added to aRapid Recovery Core, it can be used for any number of protected machines.
If you select an encryption key during the initial protection of one or more machines, that key is automatically applied to any machines you protect using that wizard. In such cases, this procedure is not required.
Perform this procedure:
|
Caution: After you apply an encryption key to a protected machine, Rapid Recovery takes a new base image for that machine upon the next scheduled or forced snapshot. |
The Protected Machines page appears, listing all the machines protected by this Core. An open lock appears for any machine that does not have an encryption key applied. A closed lock indicates that a protected machine has encryption applied.
The Encryption Configuration dialog box appears.
Text Box | Description |
---|---|
Name | Enter a name for the encryption key.
Encryption key names must contain between 1 and 64 alphanumeric characters. Do not use prohibited characters or prohibited phrases. |
Description | Enter a descriptive comment for the encryption key. This information appears in the Description field when viewing a list of encryption keys in the Rapid Recovery Core Console. Descriptions may contain up to 254 characters.
Best practice is to avoid using prohibited characters and prohibited phrases. |
Passphrase | Enter a passphrase used to control access.
Best practice is to avoid using prohibited characters. Record the passphrase in a secure location. Quest Data Protection Support cannot recover a passphrase. Once you create an encryption key and apply it to one or more protected machines, you cannot recover data if you lose the passphrase. |
Confirm Passphrase | Re-enter the passphrase. It is used to confirm the passphrase entry. |
The dialog box closes. The encryption key you specified has been applied to future backups for this protected machine, and the lock now appears as closed.
Optionally, if you want the encryption key applied immediately, force a snapshot. For more information, see Forcing a snapshot.
|
Caution: Rapid Recovery uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256-bit keys. While using encryption is optional, Quest recommends that you establish an encryption key, and that you protect the passphrase you define. Store the passphrase in a secure location as it is critical for data recovery. Without a passphrase, data recovery is not possible. |
Once an encryption key is applied to a protected machine, all subsequent snapshot data stored in the Rapid Recovery Core is encrypted.
You can disassociate an encryption key from a protected machine. This action does not decrypt the existing backup data, but does result in a new base image for that machine at the time of the next scheduled or forced snapshot.
|
NOTE: If you want to remove an encryption key from the Core, as described in the topic Removing an encryption key, you must first disassociate that encryption key from all protected machines. |
Perform this procedure to disassociate an encryption key from a specific protected machine.
The Protected Machines page appears, listing all the machines protected by this Core. An open lock appears for any machine that does not have an encryption key applied. A closed lock indicates that a protected machine has encryption applied.
The Encryption Configuration dialog box appears.
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center