Encrypting Si3 Deduplication Store

From SEPsesam
Jump to: navigation, search
Other languages:
Deutsch • ‎English

Copyright © SEP AG 1999-2018. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Tigon. For previous documentation version(s), check documentation archive.


Si3 encryption for Si3 deduplication store is one of the SEP sesam encryption types (also available are software-based and LTO encryption), introduced in v. 4.4.3 Tigon. SEP sesam provides encryption for Si3 deduplication to help ensure compliance with data protection legislation.

The administrator must create the deduplication security encryption key, which should only be known to the SEP sesam Server. If the encryption key is not available, the Si3 encrypted data cannot be read.

Configuring Si3 encryption

Si3 data encryption is set by creating a deduplication security password file that contains only the password. This file must then be specified in the relevant drive properties. The operating systems's own file protection services (file system permissions, encrypted file system) must be used to ensure that only the administrator and SEP sesam software can access the password file. For this, a special user running the SEP sesam service must have access to the password file.

Information sign.png Note
  • The password can only be set once at the beginning and cannot be changed.
  • Without the password, the data on the Si3 data store cannot be read. If the password is lost, the data on Si3 is also lost!
  • If an incorrect password is used, the Si3 data store terminates immediately after checking the password.
  • After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the command below. Such subsequent encryption with gc recreate all can take a long time depending on the occupancy level of the data store (check the size of the occupied data store space – the Filled parameter).
sm_dedup_interface -d <drive_number> gc recreate all

Example: Gc recreate.jpg


  1. Create a password file that contains only the password. For example: C:/ProgramData/SEPsesam/var/ini/stpd_conf/my_dedup_store.pass.
  2. From Main selection -> Components, click Data Stores to display the data store contents frame.
  3. Select the preconfigured Si3 deduplication store and double-click it to open the properties.
  4. Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
    Si3 encryption Tigon.jpg
  5. Under Options, specify the deduplication security password file you created before. The path to the password file must be specified with slashes, backslashes must not be used. For example:
    Click OK to configure Si3 encryption. After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the gc recreate all.

Si3 is then restarted. You can use the sm_dedup_interface to check the encryption status.

Sm dedup interface.png