Encrypting Si3 Deduplication Store

From SEPsesam
Jump to: navigation, search
Other languages:
Deutsch • ‎English

Copyright © SEP AG 1999-2019. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Tigon/4.4.3 Beefalo. For previous documentation version(s), check documentation archive.


Overview

Si3 encryption for Si3 deduplication store is one of the SEP sesam encryption types (also available are backup-task encryption and LTO encryption). SEP sesam provides encryption for Si3 deduplication to help ensure compliance with data protection legislation. This encryption type was introduced in v. 4.4.3 Tigon and was simplified in the process, thus it can simply be enabled by specifying and confirming the encryption password.

The following rules apply when setting the Si3 encryption password.

Password rules

  • Without the password, the data on the Si3 data store cannot be read.
  • If an incorrect password is used, the Si3 data store terminates immediately after checking the password.
  • The encryption password can be changed in all newer SEP sesam versions (as of v. 4.4.3 Grolar) if the encryption status is successful, however, in the older SEP sesam version 4.4.3 Tigon the password could only be set once at the beginning and could not be changed.
    How to change the password is described in the section Changing Si3 encryption password.
  • After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later by using the command gc recreate all as shown below. Such subsequent encryption can take a long time depending on the occupancy level of the data store (check the size of the occupied data store space – the Filled parameter).
  • sm_dedup_interface -d <drive_number> gc recreate all
    

    Example: Gc recreate.jpg


Configuring Si3 encryption

This procedure differs depending on the SEP sesam version you use:

Setting the encryption password in the drive properties

As of 4.4.3 Beefalo, setting the encryption password is easy as you only need to specify it directly in the first drive properties.

  1. From Main selection -> Components, click Data Stores to display the data store contents frame.
  2. Select the preconfigured Si3 deduplication store and double-click it to open the properties.
  3. Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
    Si3 drive properties.jpg
  4. In the Encryption Password field, specify the encryption password and repeat it.
  5. Click OK to set up the encryption password.

Once the encryption is enabled, only the newly added data is encrypted while any previously existing data remains unencrypted by default.

SEP Tip.png Tip
You can encrypt any previously existing data later with the gc recreate all.

To check the encryption status, click the Si3 State tab in the data store properties.

Creating an external password file

For older versions 4.4.3 Tigon–Grolar, the administrator must create the deduplication security encryption key, which should only be known to the SEP sesam Server. If the encryption key is not available, the Si3 encrypted data cannot be read.

In versions 4.4.3 Tigon–Grolar, the Si3 data encryption key is set by creating a deduplication security password file that contains only the password. This file must then be specified in the relevant drive properties. The operating systems's own file protection services (file system permissions, encrypted file system) must be used to ensure that only the administrator and SEP sesam software can access the password file. For this, a special user running the SEP sesam service must have access to the password file.

  1. Create a password file that contains only the password. For example: C:/ProgramData/SEPsesam/var/ini/stpd_conf/my_dedup_store.pass.
  2. From Main selection -> Components, click Data Stores to display the data store contents frame.
  3. Select the preconfigured Si3 deduplication store and double-click it to open the properties.
  4. Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
    Si3 encryption Tigon.jpg
  5. Under Options, specify the deduplication security password file you created before. The path to the password file must be specified with slashes, backslashes must not be used. For example:
    dedup.security.passwdfile="C:/ProgramData/SEPsesam/var/ini/stpd_conf/my_dedup_store.pass".
    Click OK to configure the Si3 encryption. After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the gc recreate all.

Si3 is then restarted. You can use the sm_dedup_interface to check the encryption status.

Sm dedup interface.png
As of SEP sesam v. 4.4.3 Grolar, you can also check the encryption status under the data store properties, by clicking the Si3 State tab.

Si3 state tab.jpg

Changing Si3 encryption password (≥ 4.4.3 Grolar)

As of v. 4.4.3 Grolar, it is possible to change the encryption password if the encryption status is successful (Encryption process status: OK). By setting up a new encryption password, first the data is decrypted with the previous password and then encrypted again with a new password. The re-encryption is only allowed if the encryption status is as follows: Encryption process status: One password for all DDLs.

The procedure of changing the Si3 encryption password in the current SEP sesam version is the same as the procedure for setting the encryption password in the drive properties.

Steps

  1. From Main selection -> Components, click Data Stores to display the data store contents frame.
  2. Select the preconfigured Si3 deduplication store and double-click it to open the properties.
  3. Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
  4. In the Encryption Password field, specify a new encryption password and repeat it.
  5. Click OK to set up a new encryption password.

Encryption behavior during SDS replication

The Si3 encryption is implemented in the file system read-write method. As a consequence, the internal processing works with the raw data. When replicating an encrypted store, the data is not transferred to the RDS in the encrypted state. The data is first decrypted on the source Si3 and then re-encrypted on the target Si3.
To guarantee absolute security during replication from source Si3 to target Si3, a secure VPN connection must be used for communication.