4 4 3 Grolar:Encrypting Si3 Deduplication Store
Overview
SEP sesam v. 5.0.0 Jaglion has introduced a new generation Si3 deduplication store. The Si3-related information differs slightly depending on which datastore is used: Si3 V1 or Si3. The procedures presented in this article apply only to the older type of SEP Si3 V1 deduplication store, which will soon be obsolete. To learn how encryption works with the new generation of Si3, see Encrypting Si3 Deduplication Store.
Si3 encryption for Si3 V1 deduplication store is one of the SEP sesam encryption types (also available are backup-task encryption and LTO encryption). SEP sesam provides encryption for Si3 V1 deduplication to help ensure compliance with data protection legislation. It can be enabled simply by specifying and confirming the encryption password.
The following rules apply to setting the Si3 encryption password.
Password rules
- Without the password, the data on the Si3 V1 data store cannot be read.
- If an incorrect password is used, the Si3 V1 data store terminates immediately after after the password is checked.
- The encryption password can be changed if the encryption status is successful, see the section Changing Si3 encryption password.
- After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the command gc recreate all as shown below. Such subsequent encryption can take a long time depending on the occupancy level of the data store (check the size of the occupied data store space – the Filled parameter).
sm_dedup_interface -d <drive_number> gc recreate all
Example:
Configuring Si3 encryption
Setting the encryption password is easy as you only need to specify it directly in the first drive properties.
- From Main selection -> Components, click Data Stores to display the data store contents frame.
- Select the preconfigured Si3 deduplication store and double-click it to open the properties.
- Under the Data Store properties, double-click the first drive of the Si3 V1 deduplication store. The Drive Properties window opens.
- In the Encryption password field, specify the encryption password and repeat it. Click OK to set up the encryption password.
Once encryption is enabled, only the newly added data is encrypted while all previously existing data remains unencrypted by default.
![]() |
Tip |
You can encrypt all existing data later with the gc recreate all. |
To check the encryption status, click the Si3 State tab in the data store properties.
Changing Si3 encryption password
It is possible to change the encryption password if the encryption status is successful (Encryption process status: OK). When you set up a new encryption password, the data is first decrypted with the previous password and then re-encrypted with a new password. Re-encryption is only allowed if the encryption status is as follows: Encryption process status: One password for all DDLs.
The procedure for changing the Si3 encryption password in the current SEP sesam version is the same as the procedure for setting the encryption password in the drive properties.
- From Main selection -> Components, click Data Stores to display the data store contents frame.
- Select the preconfigured Si3 deduplication store and double-click it to open the properties.
- Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
- In the Encryption password field, specify a new encryption password and repeat it. Click OK to set up a new encryption password.
Encryption behavior during SDS replication
Si3 encryption is implemented in the file system read-write method. As a result, internal processing works with the raw data.
When replicating an encrypted store, the data is not transferred to the RDS in encrypted state. The data is first decrypted on the source Si3 and then re-encrypted on the target Si3.
To ensure absolute security during replication from the source Si3 to the target Si3, a secure VPN connection must be used for communication.