Dell DR2000v DR Series System Administrator Guide - Page 147

Encryption at Rest and DR Series Considerations, Understanding the Encryption Process

Get Dell DR2000v PDF manuals and user guides View all Dell DR2000v manuals
Add to My Manuals
Save this manual to your list of manuals

Page 147 highlights

Term Internal mode Description A mode of key lifecycle management in which the keys are periodically generated and rotated. The minimum key rotation period before the content encryption key can be rotated and a new key is generated is 7 days. This rotation period is user-configurable and can be specified in days. Encryption at Rest and DR Series Considerations This topic describes key features and considerations of using Encryption at Rest in the DR Series system. • Key Management - In internal mode there is a maximum limit of 1023 keys. By default when encryption is enabled on the system, the key rotation period is set to 30 days. Users can later change the key rotation period from 7 days to 70 years, while configuring internal mode of encryption. • Performance Impacts - Encryption should have minimal to zero impact on both backup and restore workflows. It should also have no impact on the replication workflows. • Replication - Encryption must be enabled on both the source and target DR Series systems to store encrypted data on the systems. This means that encrypted data on the source does not automatically imply that when it is replicated to the target it will be encrypted unless encryption is explicitly turned 'ON' on the target DR Series system. • Seeding - Encryption must be enabled on both the source and target DR Series systems to store encrypted data on the systems. If seeding is configured for encryption, then the data will be re-encrypted and stored. When the data stream is imported onto the target from the seed device, the stream will be encrypted as per the target policy and stored. • Security Considerations for Passphrase and Key Management - - A passphrase is very important part of the encryption process on the DR Series system as the passphrase is used to encrypt the content encryption key or keys. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. - The administrator should closely consider security requirements to drive the decision for selecting the mode of key management for the DR Series system. - The Internal mode is more secure than the Static mode since the keys are periodically changed. Key rotation can be set to 7 days minimum. - Key modes can be changed at any time during the lifetime of the DR Series system; however, changing the key mode is a significant operation to undertake as all encrypted data must be re-encrypted. - Content encryption keys are stored in their encrypted form in a primary keystore, which is maintained on the same enclosure as the data-stores. For redundancy purposes, a backup copy of the primary keystore is stored on the system in the root partition, separate from the data-store partitions. Understanding the Encryption Process The overall steps for how Encryption at Rest is enabled and used in the DR Series system are described below. 1. Setting a passphrase. Encryption is disabled by default on a factory installed DR Series system (running version 3.2 software or later) or a DR Series system that has been upgraded to version 3.2 from a previously released version. 147

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
Term
Description
Internal mode
A mode of key lifecycle management in which the keys are periodically
generated and rotated. The minimum key rotation period before the
content encryption key can be rotated and a new key is generated is 7
days. This rotation period is user-configurable and can be specified in
days.
Encryption at Rest and DR Series Considerations
This topic describes key features and considerations of using Encryption at Rest in the DR Series system.
Key Management
— In internal mode there is a maximum limit of 1023 keys. By default when encryption is enabled
on the system, the key rotation period is set to 30 days. Users can later change the key rotation period from 7 days to
70 years, while configuring internal mode of encryption.
Performance Impacts —
Encryption should have minimal to zero impact on both backup and restore workflows.
It should also have no impact on the replication workflows.
Replication
— Encryption must be enabled on both the source and target DR Series systems to store encrypted data
on the systems. This means that encrypted data on the source does not automatically imply that when it is replicated
to the target it will be encrypted unless encryption is explicitly turned ‘ON’ on the target DR Series system.
Seeding
— Encryption must be enabled on both the source and target DR Series systems to store encrypted data on
the systems. If seeding is configured for encryption, then the data will be re-encrypted and stored. When the data
stream is imported onto the target from the seed device, the stream will be encrypted as per the target policy and
stored.
Security Considerations for Passphrase and Key Management
A passphrase is very important part of the encryption process on the DR Series system as the passphrase is
used to encrypt the content encryption key or keys. If the passphrase is compromised or lost, the administrator
should change it immediately so that the content encryption keys do not become vulnerable.
The administrator should closely consider security requirements to drive the decision for selecting the mode of
key management for the DR Series system.
The Internal mode is more secure than the Static mode since the keys are periodically changed. Key rotation
can be set to 7 days minimum.
Key modes can be changed at any time during the lifetime of the DR Series system; however, changing the key
mode is a significant operation to undertake as all encrypted data must be re-encrypted.
Content encryption keys are stored in their encrypted form in a primary keystore, which is maintained on the
same enclosure as the data-stores. For redundancy purposes, a backup copy of the primary keystore is stored
on the system in the root partition, separate from the data-store partitions.
Understanding the Encryption Process
The overall steps for how Encryption at Rest is enabled and used in the DR Series system are described below.
1.
Setting a passphrase.
Encryption is disabled by default on a factory installed DR Series system (running version 3.2 software or later) or a
DR Series system that has been upgraded to version 3.2 from a previously released version.
147