Home » Dell Manuals » Storage Devices » Dell DR4300 » Manual Viewer

Dell DR4300 DR Series System Administrator Guide - Page 146

Encryption at Rest and DR Series Considerations, Understanding the Encryption Process

Get Dell DR4300 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 146 highlights

Term Description days. This rotation period is user-configurable and can be specified in days. Encryption at Rest and DR Series Considerations This topic describes key features and considerations of using Encryption at Rest in the DR Series system. • Key Management - In internal mode there is a maximum limit of 1023 keys. By default when encryption is enabled on the system, the key rotation period is set to 30 days. Users can later change the key rotation period from 7 days to 70 years, while configuring internal mode of encryption. • Performance Impacts - Encryption should have minimal to zero impact on both backup and restore workflows. It should also have no impact on the replication workflows. • Replication - Encryption must be enabled on both the source and target DR Series systems to store encrypted data on the systems. This means that encrypted data on the source does not automatically imply that when it is replicated to the target it will be encrypted unless encryption is explicitly turned 'ON' on the target DR Series system. • Seeding - Encryption must be enabled on both the source and target DR Series systems to store encrypted data on the systems. If seeding is configured for encryption, then the data will be re-encrypted and stored. When the data stream is imported onto the target from the seed device, the stream will be encrypted as per the target policy and stored. • Security Considerations for Passphrase and Key Management - - A passphrase is very important part of the encryption process on the DR Series system as the passphrase is used to encrypt the content encryption key or keys. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. - The administrator should closely consider security requirements to drive the decision for selecting the mode of key management for the DR Series system. - The Internal mode is more secure than the Static mode since the keys are periodically changed. Key rotation can be set to 7 days minimum. - Key modes can be changed at any time during the lifetime of the DR Series system; however, changing the key mode is a significant operation to undertake as all encrypted data must be re-encrypted. - Content encryption keys are stored in their encrypted form in a primary keystore, which is maintained on the same enclosure as the data-stores. For redundancy purposes, a backup copy of the primary keystore is stored on the system in the root partition, separate from the data-store partitions. Understanding the Encryption Process The overall steps for how Encryption at Rest is enabled and used in the DR Series system are described below. 1. Setting a passphrase. Encryption is disabled by default on a factory installed DR Series system (running version 3.2 software or later) or a DR Series system that has been upgraded to version 3.2 from a previously released version. The administrator must set a passphrase as the first step in configuring encryption. This passphrase is used to encrypt the content encryption keys, which adds a second layer of security to the key management. 2. Enabling encryption and setting the mode. The administrator should enable encryption by using the GUI or CLI. At this time, the mode is also set. The default key management mode is "internal" mode, in which key rotation happens periodically as specified by the set key rotation period. 146

Section	Page
Dell DR Series System Administrator Guide	3
Introduction to the DR Series System Documentation	10
About the DR Series System GUI Documentation	10
What's New In This Release	10
Other Information You May Need	10
Source Code Availability	11
Understanding the DR Series System	12
About the DR Series System	13
DR Series Data Storage Concepts	14
Data Deduplication and Compression	14
Encryption at Rest	15
Streams vs. Connections	15
Replication	15
Replication Seeding	16
Reverse Replication	17
Reverse Replication: Alternate Method	18
Supported File System and Tape Access Protocols	18
NFS	18
CIFS	19
CIFS ACL Support	19
Access Control List Support in Containers	19
Unix Permissions Guidelines	20
Windows Permissions Guidelines	21
Rapid NFS and Rapid CIFS	21
DR Rapid for the DR Series System	22
RDA with OST for the DR Series System	22
Software Components and Operational Guidelines	23
Supported Virtual Tape Library Access Protocols	23
NDMP	24
iSCSI	24
DR Series System Hardware and Data Operations	24
DR Series Expansion Shelf	25
Understanding the Process for Adding a DR Series Expansion Shelf	26
Supported Software and Hardware	26
Terminal Emulation Applications	27
DR Series Hardware System — Expansion Shelf Cabling	27
Adding a DR Series Hardware System Expansion Shelf	29
Setting Up the DR Series System Hardware	30
Interacting with the DR Series System	30
Networking Preparations for the DR Series System	30
Connections for Initializing a DR Series System	31
Initializing the DR Series System	31
Default IP Address and Subnet Mask Address	32
Local Console Connection	33
iDRAC Connection	34
Logging in and Initializing the DR Series System	35
Accessing iDRAC6/iDRAC7 Using RACADM	36
Logging in Using a Web Interface for the First Time	36
Registering a DR Series System	39
Enabling Active Scripting in Windows IE Browsers	39
Disabling the Compatibility View Settings	40
Configuring the DR Series System Settings	41
Configuring Networking Settings	41
Networking Page and Ethernet Port Values	44
Managing the DR Series System Password	45
Modifying the System Password	45
Resetting the Default System Password	45
Shutting Down the DR Series System	46
Rebooting the DR Series System	46
Configuring Active Directory Settings	47
Configuring Local Workgroup Users Settings	48
Configuring Email Alert Settings	48
Adding a Recipient Email Address	48
Editing or Deleting a Recipient Email Address	49
Sending a Test Message	49
Configuring Administrator Contact Information	50
Adding Administrator Contact Information	50
Editing Administrator Contact Information	51
Managing Passwords	51
Modifying the System Password	51
Modifying Password Reset Options	51
Configuring an Email Relay Host	52
Adding an Email Relay Host	52
Editing an Email Relay Host	52
Configuring System Date and Time Settings	53
Editing System Date and Time Settings	53
Understanding Containers	54
Configuring Share-Level Security	54
Managing DR Series Storage Operations	56
Understanding the Storage Page and Options	56
Understanding the Storage Options	57
Containers	57
Replication Page	58
Encryption	58
Clients	58
Managing Container Operations	61
Creating Storage Containers	61
Editing Container Settings	65
Deleting Containers	66
Moving Data Into a Container	66
Displaying Container Statistics	67
Managing Replication Operations	69
TCP Port Configuration	69
Before you Begin	69
Creating Replication Relationships	70
Modifying Replication Relationships	70
Deleting Replication Relationships	71
Starting and Stopping Replication	71
Adding a Cascaded Replica	72
Displaying Replication Statistics	72
Creating a Replication Schedule	73
Managing Encryption Operations	74
Setting or Changing the Passphrase	74
Enabling Encryption	75
Changing Encryption Settings	75
Disabling Encryption	76
Monitoring the DR Series System	77
Monitoring Operations Using the Dashboard Page	77
System Status Bar	77
DR Series System and the Capacity-Storage Savings-Throughput Panes	78
System Information Pane	78
Monitoring System Alerts	79
Using the Dashboard Alerts Page	79
Viewing the System Alerts	79
Monitoring System Events	80
Using the Dashboard to Display System Events	80
Using the Dashboard Events Option	81
Using the Event Filter	81
Monitoring System Health	82
Using the Dashboard Page to Monitor System Health	82
Using the Dashboard Health Options	83
Monitoring System Usage	84
Displaying Current System Usage	84
Setting a Latest Range Value	85
Setting a Time Range Value	85
Monitoring Container Statistics	85
Displaying the Container Statistics Page	86
Monitoring Replication Statistics	87
Displaying the Replication Statistics Page	87
Displaying Replication Statistics Using the CLI	88
Using Global View	90
About Global Views	90
Prerequisites	90
Configuring Active Directory Settings	91
Adding a Login Group in an ADS Domain	92
About the Global View Page	92
Global View Summary	93
Appliance List	94
Navigating in Global View	95
Adding a DR Series System to Global View	96
Removing a DR Series System from Global View	96
Reconnecting DR Series Systems	96
Using the Reconnect Report	97
Using the DR Series System Support Options	98
Support Information Pane	98
Diagnostics Page and Options	98
Generating a Diagnostics Log File	99
Downloading Diagnostics Log Files	100
Deleting a Diagnostics Log File	101
DR Series System Software Upgrade	101
Software Upgrade Page and Options	101
Verifying the Current Software Version	102
Upgrading the DR Series System Software	102
SSL Page and Options	103
Installing an SSL Certificate	103
Resetting the SSL Certificate	103
Generating a CSR	104
Restore Manager (RM)	104
Downloading the Restore Manager	105
Creating the Restore Manager USB Key	105
Running the Restore Manager (RM)	106
Resetting the Boot LUN Setting in PERC H700 BIOS After Running RM	106
Hardware Removal or Replacement	107
DR Series System: Proper Shut Down and Start Up	107
DR Series System NVRAM	107
Configuring and Using Rapid NFS and Rapid CIFS	109
Rapid NFS and Rapid CIFS Benefits	109
Best Practices: Rapid NFS	109
Best Practices: Rapid CIFS	111
Setting Client-Side Optimization	111
Installing the Rapid NFS Plug-In	112
Installing the Rapid CIFS Plug-In	113
Determining If Your System Is Using Rapid NFS or Rapid CIFS	113
Viewing the Rapid NFS and Rapid CIFS Logs	114
Viewing Rapid NFS Logs	114
Viewing Rapid CIFS Logs	114
Monitoring Performance	114
Uninstalling the Rapid NFS Plug-In	115
Uninstalling the Rapid CIFS Plug-In	115
Configuring and Using Rapid Data Access with Dell NetVault Backup and with Dell vRanger	116
Overview	116
Guidelines for using RDA with NetVault Backup and with vRanger	117
Best Practices: RDA with NetVault Backup and vRanger and the DR Series System	117
Setting Client-Side Optimization	117
Adding RDS Devices in NetVault Backup	118
Removing RDS Devices From NetVault Backup	118
Backing Up Data on the RDS Container Using NetVault Backup	119
Replicating Data to a RDS Container using NetVault Backup	119
Restoring Data From a DR Series System using NetVault Backup	120
Supported DR Series System CLI Commands for RDS	121
Configuring and Using RDA with OST	122
Understanding RDA with OST	122
Guidelines	123
Terminology	123
Supported RDA with OST Software and Components	124
Best Practices: RDA with OST and the DR Series System	124
Setting Client-Side Optimization	124
Configuring an LSU	125
Installing the RDA with OST Plug-In	125
Understanding the RDA with OST Plug-In (Linux)	125
Understanding the RDA with OST Plug-In (Windows)	126
Installing the RDA with OST Plug-In for Backup Exec on Windows	126
Installing the RDA with OST Plug-In for NetBackup on Windows	127
Uninstalling the RDA with OST Plug-In for Windows	127
Installing the RDA with OST Plug-In for NetBackup on Linux	128
Uninstalling the RDA with OST Plug-In for Linux	128
Configuring DR Series System Information Using NetBackup	129
Using NetBackup CLI to Add DR Series System Name (Linux)	129
Using NetBackup CLI to Add DR Series System Name (Windows)	129
Configuring NetBackup for the DR Series System	129
Configuring NetBackup for Optimized Synthetic Backups	130
Creating Disk Pools From LSUs	131
Creating Storage Units Using the Disk Pool	131
Backing Up Data From a DR Series System (NetBackup)	132
Restoring Data From a DR Series System Using NetBackup	132
Duplicating Backup Images Between DR Series Systems Using NetBackup	132
Using Backup Exec With a DR Series System (Windows)	133
RDA with OST Plug-In and Supported Versions	133
Installation Prerequisites for the RDA with OST Plug-In for Backup Exec	133
Configuring the DR Series System Using the Backup Exec GUI	133
Creating Backups on the DR Series System Using Backup Exec	134
Optimizing Duplication Between DR Series Systems Using Backup Exec	134
Restoring Data from a DR Series System Using Backup Exec	135
Understanding the OST CLI Commands	135
Supported DR Series System CLI Commands for RDA with OST	136
Understanding RDA with OST Plug-In Diagnostic Logs	137
Rotating RDA with OST Plug-In Logs for Windows	137
Collecting Diagnostics Using a Linux Utility	137
Rotating RDA with OST Plug-In Logs for Linux	138
Guidelines for Gathering Media Server Information	138
NetBackup on Linux Media Servers	138
NetBackup on Windows Media Servers	139
Backup Exec on Windows Media Servers	139
Configuring and Using VTL	141
Understanding VTL	141
Terminology	141
Supported Virtual Tape Library Access Protocols	141
NDMP	142
iSCSI	142
VTL and DR Series Specifications	142
Guidelines for Configuring VTL	143
Configuring and Using Encryption at Rest	145
Understanding Encryption at Rest	145
Encryption at Rest Terminology	145
Encryption at Rest and DR Series Considerations	146
Understanding the Encryption Process	146
Troubleshooting and Maintenance	148
Troubleshooting Error Conditions	148
DR Series System Alert and Event Messages	148
About the Diagnostics Service	177
Understanding Diagnostics Collection	178
About the DR Series System Maintenance Mode	178
Scheduling DR Series System Operations	180
Creating a Cleaner Schedule	180
Displaying Cleaner Statistics	181
Supported Ports in a DR Series System	183
Getting Help	185
Before Contacting Dell Support	185

Match case Limit results 1 per page

Term

Description

days. This rotation period is user-configurable and can be specified in

days.

Encryption at Rest and DR Series Considerations

This topic describes key features and considerations of using Encryption at Rest in the DR Series system.

•

Key Management

— In internal mode there is a maximum limit of 1023 keys. By default when encryption is enabled

on the system, the key rotation period is set to 30 days. Users can later change the key rotation period from 7 days to

70 years, while configuring internal mode of encryption.

•

Performance Impacts —

Encryption should have minimal to zero impact on both backup and restore workflows.

It should also have no impact on the replication workflows.

•

Replication

— Encryption must be enabled on both the source and target DR Series systems to store encrypted data

on the systems. This means that encrypted data on the source does not automatically imply that when it is replicated

to the target it will be encrypted unless encryption is explicitly turned ‘ON’ on the target DR Series system.

•

Seeding

— Encryption must be enabled on both the source and target DR Series systems to store encrypted data on

the systems. If seeding is configured for encryption, then the data will be re-encrypted and stored. When the data

stream is imported onto the target from the seed device, the stream will be encrypted as per the target policy and

stored.

•

Security Considerations for Passphrase and Key Management

—

–

A passphrase is very important part of the encryption process on the DR Series system as the passphrase is

used to encrypt the content encryption key or keys. If the passphrase is compromised or lost, the administrator

should change it immediately so that the content encryption keys do not become vulnerable.

–

The administrator should closely consider security requirements to drive the decision for selecting the mode of

key management for the DR Series system.

–

The Internal mode is more secure than the Static mode since the keys are periodically changed. Key rotation

can be set to 7 days minimum.

–

Key modes can be changed at any time during the lifetime of the DR Series system; however, changing the key

mode is a significant operation to undertake as all encrypted data must be re-encrypted.

–

Content encryption keys are stored in their encrypted form in a primary keystore, which is maintained on the

same enclosure as the data-stores. For redundancy purposes, a backup copy of the primary keystore is stored

on the system in the root partition, separate from the data-store partitions.

Understanding the Encryption Process

The overall steps for how Encryption at Rest is enabled and used in the DR Series system are described below.

Setting a passphrase.

Encryption is disabled by default on a factory installed DR Series system (running version 3.2 software or later) or a

DR Series system that has been upgraded to version 3.2 from a previously released version.

The administrator must set a passphrase as the first step in configuring encryption. This passphrase is used to

encrypt the content encryption keys, which adds a second layer of security to the key management.

Enabling encryption and setting the mode.

The administrator should enable encryption by using the GUI or CLI. At this time, the mode is also set. The default

key management mode is “internal” mode, in which key rotation happens periodically as specified by the set key

rotation period.

146