How Encryption of Data at Rest Works:
Data encryption protects user data if the Data Domain system is stolen or if the physical storage media is lost during transit, and eliminates accidental exposure of a failed drive if it is replaced. If an intruder circumvents network security controls and gains access to encrypted data, the data is unreadable and unusable without the proper cryptographic keys.
When data enters the Data Domain system using any of the supported protocols (NFS,CIFS, VTL, DD Boost, and NDMP Tape Server), the stream is segmented, fingerprinted, de-duplicated (global compression), then grouped into multi-segment compression regions, locally compressed, and then encrypted before stored to disk.
Once enabled, the Encryption at Rest feature encrypts all data entering the Data Domain system. You cannot enable encryption at a more granular level.
Data that has been stored before the encryption feature is enabled does not automatically get encrypted. To protect all of the data on the system, when you configure encryption, be sure to enable the option to encrypt existing data.
Using Encryption of Data at Rest with Replication:
Data Domain Replicator software can be used with the optional Encryption of Data at Rest feature, enabling encrypted data to be replicated using collection, directory, or MTree for all of the supported topologies.
Replication contexts are always authenticated with a shared secret. That shared secret is used to establish a session key using a Diffie-Hellman key exchange protocol, and that session key is used to encrypt and decrypt the Data Domain system encryption key when appropriate.
Each replication form works uniquely with encryption and offers the same level of security:
· Collection replication requires the source and target to have the same encryption configuration, because the target is expected to be an exact replica of the source data. In particular, the encryption feature must be turned on or off at both source and target, and if the feature is turned on, the encryption algorithm and the system passphrases must also match. The parameters are checked during the replication association phase.
During collection replication, the source system transmits the encrypted user data with the encrypted system encryption key. The data can be recovered at the target because the target machine has the same passphrase and the same system encryption key.
· MTree or directory replication does not require encryption configuration to be the same at both the source and target Data Domain systems. Instead, the source and target securely exchange the target system’s encryption key during the replication association phase, and the data at rest is first decrypted and then re-encrypted at the source using the target system’s encryption key before transmission to the target.
If the target machine has a different encryption configuration, the data transmitted is prepared appropriately. For example, if the feature is turned off at the target, the source decrypts the data, and it is sent to the target un-encrypted.
· In a cascaded replication topology, a replica is chained among three Data Domain systems. The last system in the chain can be configured as a collection, MTree, or directory. If the last system is a collection replication target, it uses the same encryption keys and encrypted data as its source. If the last system is an MTree or directory replication target, it uses its own key, and the data is encrypted at its source. The encryption key for the target at each link is used for encryption. Encryption for systems in the chain works as in a replication pair.
Data encryption protects user data if the Data Domain system is stolen, or if the physical
storage media is lost during transit, and eliminates accidental exposure of a failed drive if it is
replaced. In addition, if an intruder ever gains access to encrypted data, the data is
unreadable and unusable without the proper cryptographic keys.
Encryption of data at rest:
· Enables data on the Data Domain system to be encrypted, while being saved and locked, before being moved to another location. Is also called inline data encryption.
· Protects data on a Data Domain system from unauthorized access or accidental exposure.
· Requires an encryption software license.
· Encrypts all ingested data.
· Does not automatically encrypt data that was in the system before encryption was enabled. Such data can be encrypted by enabling an option to encrypt existing data.
Furthermore, you can use all of the currently supported backup applications described in the Backup Application Matrix on the Support Portal with the Encryption of Data at Rest feature.