5 1 0:Encrypting Si3 Deduplication Store

From SEPsesam
Revision as of 15:54, 19 December 2023 by Jus (talk | contribs) (implemented feedback from KAD)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:


Docs latest icon.png Welcome to the latest SEP sesam documentation version 5.1.0 Apollon. For previous documentation version(s), check documentation archive.


Overview


SEP sesam v. 5.0.0 Jaglion has introduced a new generation Si3 deduplication store. The Si3-related information differs slightly depending on which datastore is used: Si3 V1 or Si3. The procedures presented in this article apply only to the Si3 deduplication store. To learn how encryption works with old-generation Si3 V1, see Encrypting Si3 Deduplication Store.

Si3 encryption for Si3 deduplication store is one of the SEP sesam encryption types (also available are backup task encryption and LTO encryption). SEP sesam provides encryption for Si3 deduplication to help ensure compliance with data protection legislation. It can be enabled simply by specifying and confirming the encryption password.

The following rules apply when specifying the Si3 encryption password.

Password rules

  • Without the password, the data on the Si3 data store cannot be read.
  • If an incorrect password is used, the Si3 data store terminates immediately after the password is checked.
  • The encryption password can be changed if the encryption status is successful, see section Changing the Si3 encryption password.

After you enable encryption, the newly added data and the existing data are encrypted during the regular GC started by SEP sesam Server.

Configuring Si3 encryption

Setting the encryption password is easy as you only need to specify it directly in the first drive properties.

  1. From Main selection -> Components, click Data Stores to display the data store contents frame.
  2. Select the already configured Si3 deduplication store and double-click it to open the properties.
  3. Si3 NG click drive.jpg
  4. Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
    Si3 NG drive-encryption blocky.jpg
  5. In the Encryption password field, specify the encryption password and repeat it.
  6. Click OK to set up the encryption password.

Once encryption is enabled, the newly added data and all previously existing data gets encrypted.

Changing the Si3 encryption password

It is possible to change the encryption password if the encryption status is successful (Encryption process status: OK). When you set up a new encryption password, the data is first decrypted with the previous password and then re-encrypted with a new password. Re-encryption is allowed only if the encryption status is as follows: Encryption process status: One password for all DDLs.

The procedure for changing the Si3 encryption password in the current SEP sesam version is the same as the procedure for setting the encryption password in the drive properties.

  1. From Main selection -> Components, click Data Stores to display the data store contents frame.
  2. Select already configured Si3 deduplication store and double-click it to open the properties.
  3. Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
  4. In the Encryption password field, type and repeat a new encryption password.
  5. Click OK to set up a new encryption password.

Encryption behavior during SDS replication

Si3 encryption is implemented in the file system as a read-write operation. Consequently, internal processing works with the raw data. When replicating an encrypted store, the data is not transferred to the RDS in encrypted state. The data is first decrypted on the source Si3 and then re-encrypted on the target Si3.
To ensure absolute security during replication from the source Si3 to the target Si3, a secure VPN connection must be used for communication.

Checking the encryption status

GUI
You can check the encryption status of your data store in the GUI by double-clicking the data store to open its properties, and then selecting the Si3 State tab in the data store properties. Look for the Encryption process status row.
Web UI
You can also check the status in SEP sesam Web UI: Open the Web UI -> Monitoring -> Data Stores, and then click the name of the particular data store to view its properties. Make sure you are using Web UI in advanced mode (check View at the bottom left of the navigation), as only in this mode you can see the Detailed Status option and check the details of the datastore, including the status of the encryption (row) Encryption process status. For more details, see SEP sesam Web UI.
SEP Tip.png Tip
You can use Si3 to set up SEP Immutable Storage (Si-Storage or SiS) to prevent ransomware attacks on backups. With SiS, stored data remains in its original and unaltered form throughout its lifetime. For details, see SEP Immutable Storage - SiS.


See also

Configuring Si3 Deduplication StoreSEP Immutable Storage - SiSEncryption Support MatrixBackup-task EncryptionLTO Encryption

Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.