4 4 3 Grolar:Encrypting Si3 Deduplication Store: Difference between revisions

From SEPsesam
(Corrected software-based encryption to backup-task encryption.)
(Marked this version for translation)
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
__FORCETOC__
<translate>
<translate>
<!--T:1-->
<!--T:1-->
Line 5: Line 4:


<!--T:31-->
<!--T:31-->
{{Copyright SEP AG|en}}
{{Copyright}}


<!--T:2-->
<!--T:2-->
{{Navigation_latest|release=[[Special:MyLanguage/SEP_sesam_Release_Versions|4.4.3 ''Tigon''/4.4.3 ''Grolar'']]|link=[[Special:MyLanguage/SEP_sesam_Documentation#previous|documentation archive]]}}</div></translate>
{{Release-Grolar}}</div></translate><br />
 


<translate>==Overview== <!--T:3--></translate>
<translate>==Overview== <!--T:3--></translate>
Line 19: Line 17:
<translate><!--T:21-->
<translate><!--T:21-->
[[File:SEP_next.png|45px|link=
[[File:SEP_next.png|45px|link=
Special:MyLanguage/4_4_3_Grolar:Configuring_Si3_Deduplication_Store|Configuring an Si3 Deduplication Store]]</translate>
Special:MyLanguage/Configuring_Si3_Deduplication_Store|Configuring an Si3 Deduplication Store]]</translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate>
<!--T:5-->
<!--T:5-->
See also: [[Special:MyLanguage/4_4_3_Grolar:Configuring_Si3_Deduplication_Store|Configuring an Si3 Deduplication Store]] – [[Special:MyLanguage/4_4_3_Beefalo:Encryption_Support_Matrix|Encryption Support Matrix]] –  [[Special:MyLanguage/The_Backup_4.4#Encryption|Backup-task Encryption]] – [[Special:MyLanguage/LTO_Encryption|LTO Encryption]] </translate>
See also: [[Special:MyLanguage/Configuring_Si3_Deduplication_Store|Configuring Si3 Deduplication Store]] – [[Special:MyLanguage/Encryption_Support_Matrix|Encryption Support Matrix]] –  [[Special:MyLanguage/4_4_3_Beefalo:Backup#encryption|Backup-task Encryption]] – [[Special:MyLanguage/LTO_Encryption|LTO Encryption]] </translate>
|}
|}


Line 34: Line 32:
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" | <translate><!--T:23-->
| rowspan="2" style="padding:0px 10px 0px;" | <translate><!--T:23-->
[[File:SEP Tip.png|45px|link=Special:MyLanguage/FAQ#encryption_and_compression|FAQ]]</translate>
[[File:SEP Tip.png|45px|link=Special:MyLanguage/4_4_3_Beefalo:FAQ#encryption_and_compression|FAQ]]</translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:7-->
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:7-->
Check [[Special:MyLanguage/FAQ#encryption_and_compression|FAQ]] to find the answers to most common questions.</translate>
Check [[Special:MyLanguage/4_4_3_Beefalo:FAQ#encryption_and_compression|FAQ]] to find the answers to most common questions.</translate>
|}
|}


Line 43: Line 41:
[[File:SEP Troubleshooting.png|45px|link=Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]]</translate>
[[File:SEP Troubleshooting.png|45px|link=Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]]</translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:8-->
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:8-->
Problems? See the [[Special:MyLanguage/Troubleshooting_Guide#Graphical_User_Interface_.28GUI.29_problems|Troubleshooting Guide]].</translate>
Problems? See the [[Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]].</translate>
|}
|}


Line 52: Line 50:


|}</div>
|}</div>
<span style="color:gray; font-size: 90%"><translate> <!--T:79--> SEP sesam [[SEP sesam Release Versions|v. 5.0.0 Jaglion]] has introduced a [[Special:MyLanguage/5_0_0:Configuring_Si3_NG_Deduplication_Store|new generation Si3 deduplication store]]. The Si3-related information differs slightly depending on which datastore is used: Si3 V1 or Si3. The procedures presented in this article apply only to the older type of SEP Si3 V1 deduplication store, which will soon be obsolete. To learn how encryption works with the new generation of Si3, see [[Special:MyLanguage/Encrypting_Si3_NG_Deduplication_Store|Encrypting Si3 Deduplication Store]].</translate></span>
<translate><!--T:10-->
<translate><!--T:10-->
Si3 encryption for Si3 deduplication store is one of the SEP sesam encryption types (also available are [[Special:MyLanguage/SEP_sesam_Glossary#backup-task|backup-task encryption]] and [[Special:MyLanguage/SEP_sesam_Glossary#LTO_encryption|LTO encryption]]), introduced in v. 4.4.3 ''Tigon''. SEP sesam provides encryption for Si3 deduplication to help ensure compliance with data protection legislation.  
Si3 encryption for Si3 V1 deduplication store is one of the SEP sesam encryption types (also available are [[Special:MyLanguage/SEP_sesam_Glossary#backup-task|backup-task encryption]] and [[Special:MyLanguage/SEP_sesam_Glossary#LTO_encryption|LTO encryption]]). SEP sesam provides encryption for Si3 V1 deduplication to help ensure compliance with data protection legislation. It can be enabled simply by specifying and confirming the encryption password.
 
<!--T:11-->
The administrator must create the deduplication security encryption key, which should only be known to the SEP sesam Server. If the encryption key is not available, the Si3 encrypted data cannot be read.  
 
=={{anchor|encryption}}Configuring Si3 encryption== <!--T:54-->         


<!--T:13-->
<!--T:58-->
Si3 data encryption is set by creating a deduplication security password file that contains only the password. This file must then be specified in the relevant drive properties. The operating systems's own file protection services (file system permissions, encrypted file system) must be used to ensure that only the administrator and SEP sesam software can access the password file. For this, a special user running the SEP sesam service must have access to the password file.
The following rules apply to setting the Si3 encryption password.


===Password rules=== <!--T:37--></translate>
==={{anchor|rules}}Password rules=== <!--T:37--></translate>
<ul><li><translate><!--T:38-->
<ul>  
In SEP sesam version [[Special:MyLanguage/SEP_sesam_Release_Versions|4.4.3 ''Tigon'']], the password can only be set once at the beginning and cannot be changed. As of v. [[Special:MyLanguage/SEP_sesam_Release_Versions|4.4.3 ''Grolar'']], it is possible to change the encryption password as described in the section [[Special:MyLanguage/Encrypting_Si3_Deduplication_Store#password|Changing encryption password]].</translate></li>  
<li><translate><!--T:39-->
<li><translate><!--T:39-->
Without the password, the data on the Si3 data store cannot be read.</translate></li>
Without the password, the data on the Si3 V1 data store cannot be read.</translate></li>
<li><translate><!--T:40-->
<li><translate><!--T:40-->
If an incorrect password is used, the Si3 data store terminates immediately after checking the password.</translate></li>
If an incorrect password is used, the Si3 V1 data store terminates immediately after after the password is checked.</translate></li>
<li><translate><!--T:38-->
The encryption password can be changed if the encryption status is successful, see the section [[Special:MyLanguage/Encrypting_Si3_Deduplication_Store#password|Changing Si3 encryption password]].</translate></li>
<li><translate><!--T:41-->
<li><translate><!--T:41-->
{{anchor|gc_recreate}}After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later by using the command ''gc recreate all'' as shown below. Such subsequent encryption can take a long time depending on the occupancy level of the data store (check the size of the occupied data store space – the [[Special:MyLanguage/The_DataStore_4.4#properties|Filled]] parameter).</translate></li>
{{anchor|gc_recreate}}After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the command <tt>gc recreate all</tt> as shown below. Such subsequent encryption can take a long time depending on the occupancy level of the data store (check the size of the occupied data store space – the [[Special:MyLanguage/4_4_3_Beefalo:Data_Store#properties|Filled]] parameter).</translate></li>
sm_dedup_interface -d <drive_number> gc recreate all
<pre> sm_dedup_interface -d <drive_number> gc recreate all</pre>
<translate><!--T:42-->
<translate><!--T:42-->
Example:
Example:
Line 78: Line 74:
</ul>
</ul>


===<translate><!--T:14-->
=={{anchor|encryption}}<translate><!--T:54-->
Steps</translate>===
Configuring Si3 encryption==       
 
<!--T:64-->
Setting the encryption password is easy as you only need to specify it directly in the first drive properties.</translate>
<ol><li><translate>
<!--T:65-->
From '''Main selection''' -> '''Components''', click '''Data Stores''' to display the data store contents frame.</translate></li>
<li><translate>
<!--T:66-->
Select the preconfigured '''Si3 deduplication store''' and double-click it to open the properties.</translate></li>
<li><translate>
<!--T:67-->
Under the ''Data Store properties'', double-click '''the first drive''' of the Si3 V1 deduplication store. The ''Drive Properties'' window opens.</translate><br />
<translate>
<!--T:68-->
[[image:Si3_drive_properties_Beefalo_V2.jpg|830px|link=]]</translate>
<br clear=all></li>
<li><translate>
<!--T:69-->
In the '''Encryption password''' field, specify the encryption password and repeat it.</translate></li>
<translate><!--T:70--> Click '''OK''' to set up the encryption password.</translate></ol>
<translate><!--T:71--> Once encryption is enabled, only the newly added data is encrypted while all previously existing data remains unencrypted by default.</translate><br />
{{<translate><!--T:72--> tip</translate>|<translate><!--T:73--> You can encrypt all existing  data later with the [[Special:MyLanguage/Encrypting_Si3_Deduplication_Store#gc_recreate|''gc recreate all'']].</translate>}}
 
<translate><!--T:74-->
To check the encryption status, click the '''Si3 State''' tab in the ''data store properties''.
 
<!--T:45-->
[[image:Si3_state_tab_Beefalo_V2.jpg|830px|link=]]</translate>
<br clear=all>
<!-- <translate>==={{anchor|external_password}}Creating an external password file=== <!--T:75-->
 
<!--T:11-->
For older versions [[SEP_sesam_Release_Versions|4.4.3 ''Tigon–Grolar'']], the administrator must create the deduplication security encryption key, which should only be known to the SEP sesam Server. If the encryption key is not available, the Si3 encrypted data cannot be read.
 
<!--T:13-->
In versions [[SEP_sesam_Release_Versions|4.4.3 ''Tigon–Grolar'']], the Si3 data encryption key is set by creating a deduplication security password file that contains only the password. This file must then be specified in the relevant drive properties. The operating systems's own file protection services (file system permissions, encrypted file system) must be used to ensure that only the administrator and SEP sesam software can access the password file. For this, a special user running the SEP sesam service must have access to the password file.</translate>
<ol><li><translate>
<ol><li><translate>
<!--T:28-->
<!--T:28-->
Line 90: Line 122:
Select the preconfigured '''Si3 deduplication store''' and double-click it to open the properties.</translate></li>
Select the preconfigured '''Si3 deduplication store''' and double-click it to open the properties.</translate></li>
<li><translate><!--T:17-->
<li><translate><!--T:17-->
Under the '''Data Store properties''', double-click '''the first drive''' of the Si3 deduplication store. The ''Drive Properties'' window opens.<br /></translate>
Under the '''Data Store properties''', double-click '''the first drive''' of the Si3 V1 deduplication store. The ''Drive Properties'' window opens.</translate><br />
<translate><!--T:18-->
<translate><!--T:18-->
[[image:Si3_encryption_Tigon.jpg|link=]]</translate>
[[image:Si3_encryption_Tigon.jpg|link=]]</translate>
<br clear=all></li>
<br clear=all></li>
<li><translate><!--T:19-->
<li><translate><!--T:19-->
Under '''Options''', specify the deduplication security password file you created before. The path to the password file must be specified with slashes, backslashes must not be used. For example:</translate><br><tt>dedup.security.passwdfile="C:/ProgramData/SEPsesam/var/ini/stpd_conf/my_dedup_store.pass"</tt>.<br>
Under '''Options''', specify the deduplication security password file you created before. The path to the password file must be specified with slashes, backslashes must not be used. For example:</translate><br /><tt>dedup.security.passwdfile="C:/ProgramData/SEPsesam/var/ini/stpd_conf/my_dedup_store.pass"</tt>.<br />
<translate><!--T:26-->
<translate><!--T:26-->
Click '''OK''' to configure Si3 encryption. After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the [[Special:MyLanguage/Encrypting_Si3_Deduplication_Store#gc_recreate|''gc recreate all'']].</translate></li></ol>
Click '''OK''' to configure the Si3 encryption. After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the [[Special:MyLanguage/Encrypting_Si3_Deduplication_Store#gc_recreate|''gc recreate all'']].</translate></li></ol>


<translate><!--T:29-->
<translate><!--T:29-->
Line 106: Line 138:
<br clear=all>
<br clear=all>
<translate><!--T:44-->
<translate><!--T:44-->
As of SEP sesam v. [[Special:MyLanguage/SEP_sesam_Release_Versions|4.4.3 ''Grolar'']], you can also check the encryption status under the ''data store properties'', by clicking the '''Si3 State''' tab.
As of SEP sesam v. [[Special:MyLanguage/SEP_sesam_Release_Versions|4.4.3 ''Grolar'']], you can also check the encryption status under the ''data store properties'', by clicking the '''Si3 State''' tab.</translate> -->
=={{anchor|password}}<translate><!--T:46-->
Changing Si3 encryption password==


<!--T:45-->
<!--T:47-->
[[image:Si3_state_tab.jpg|link=]]</translate>
It is possible to change the encryption password if the encryption status is successful (<tt>Encryption process status: OK</tt>). When you set up a new encryption password, the data is first decrypted with the previous password and then re-encrypted with a new password. Re-encryption is only allowed if the encryption status is as follows: <tt>Encryption process status:  One password for all DDLs</tt>.
<br clear=all>


<translate>=={{anchor|password}}Changing encryption password (≥ 4.4.3 ''Grolar'')== <!--T:46-->
<!--T:76-->
The procedure for changing the Si3 encryption password in the current SEP sesam version is the same as the procedure for [[Special:MyLanguage/Encrypting_Si3_Deduplication_Store#drive_password|setting the encryption password in the drive properties]].
</translate>  


<!--T:47-->
As of v. [[Special:MyLanguage/SEP_sesam_Release_Versions|4.4.3 ''Grolar'']], it is possible to change an encryption password if the encryption status is successful (<tt>Encryption process status:  OK</tt>). By setting up a new encryption password, first the data is decrypted with the previous password and then encrypted again with a new password. The re-encryption is only allowed if the encryption status is as follows: <tt>Encryption process status:  One password for all DDLs</tt>.</translate>
<translate>===Steps=== <!--T:48--></translate>
<ol><li><translate>
<ol><li><translate>
<!--T:49-->
<!--T:49-->
Line 126: Line 157:
<li><translate>
<li><translate>
<!--T:51-->
<!--T:51-->
Under the '''Data Store properties''', double-click '''the first drive''' of the Si3 deduplication store. The ''Drive Properties'' window opens.</translate><br />
Under the '''Data Store properties''', double-click '''the first drive''' of the Si3 deduplication store. The ''Drive Properties'' window opens.</translate></li>
<translate>
<!--T:52-->
[[image:Si3_drive_properties.jpg|link=]]</translate>
<br clear=all></li>
<li><translate>
<li><translate>
<!--T:53-->
<!--T:53-->
Under '''Encryption Password''', specify a new encryption password and repeat it.</li>
In the '''Encryption password''' field, specify a new encryption password and repeat it.</li>
Click '''OK''' to set up new encryption password. </translate></li></ol>
Click '''OK''' to set up a new encryption password. </translate></li></ol>


<translate>=={{anchor|encryption_behavior}}Encryption behavior during SDS replication== <!--T:55-->
=={{anchor|encryption_behavior}}<translate><!--T:55-->
Encryption behavior during SDS replication==


<!--T:56-->
<!--T:56-->
The Si3 encryption is implemented in the file system read-write method. As a consequence, the internal processing works with the raw data.
Si3 encryption is implemented in the file system read-write method. As a result, internal processing works with the raw data.
When replicating an encrypted store, the data is not transferred to the RDS in the encrypted state. The data is first decrypted on the source Si3 and then re-encrypted on the target Si3.</translate><br />  
When replicating an encrypted store, the data is not transferred to the RDS in encrypted state. The data is first decrypted on the source Si3 and then re-encrypted on the target Si3.</translate><br />  
<translate><!--T:57-->
<translate><!--T:57-->
To guarantee absolute security during replication from source Si3 to target Si3, a secure VPN connection must be used for communication.
To ensure absolute security during replication from the source Si3 to the target Si3, a secure VPN connection must be used for communication.


<!--T:20-->
<noinclude><div class="noprint">
<noinclude><div class="noprint">
== See also == <!--T:20-->
== See also ==
[[Special:MyLanguage/4_4_3_Grolar:Configuring_Si3_Deduplication_Store|Configuring an Si3 Deduplication Store]] – [[Special:MyLanguage/4_4_3_Beefalo:Encryption_Support_Matrix|Encryption Support Matrix]] – [[Special:MyLanguage/The_Backup_4.4#Encryption|Backup-task Encryption]] – [[Special:MyLanguage/LTO_Encryption|LTO Encryption]]</div></noinclude></translate>
[[Special:MyLanguage/Configuring_Si3_Deduplication_Store|Configuring an Si3 Deduplication Store]] – [[Special:MyLanguage/Encryption_Support_Matrix|Encryption Support Matrix]] – [[Special:MyLanguage/4_4_3_Beefalo:Backup#encryption|Backup-task Encryption]] – [[Special:MyLanguage/LTO_Encryption|LTO Encryption]]</div></noinclude></translate>

Latest revision as of 12:24, 19 December 2023

Other languages:
Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.
Icon archived docs.png This is documentation for SEP sesam version 4.4.3 Grolar.
SEP AG has discontinued support for SEP sesam version 4.4.3 Grolar. Instructions are still available for these SEP sesam products, however, SEP AG accepts no responsibility or liability for any errors or inaccuracies in the instructions or for the incorrect operation of obsolete SEP sesam software. It is strongly recommended that you update your SEP sesam software to the latest version.

For more information on SEP sesam releases, see SEP sesam Release Versions. For the latest documentation, check SEP sesam documentation.


Overview

SEP sesam v. 5.0.0 Jaglion has introduced a new generation Si3 deduplication store. The Si3-related information differs slightly depending on which datastore is used: Si3 V1 or Si3. The procedures presented in this article apply only to the older type of SEP Si3 V1 deduplication store, which will soon be obsolete. To learn how encryption works with the new generation of Si3, see Encrypting Si3 Deduplication Store.

Si3 encryption for Si3 V1 deduplication store is one of the SEP sesam encryption types (also available are backup-task encryption and LTO encryption). SEP sesam provides encryption for Si3 V1 deduplication to help ensure compliance with data protection legislation. It can be enabled simply by specifying and confirming the encryption password.

The following rules apply to setting the Si3 encryption password.

Password rules

  • Without the password, the data on the Si3 V1 data store cannot be read.
  • If an incorrect password is used, the Si3 V1 data store terminates immediately after after the password is checked.
  • The encryption password can be changed if the encryption status is successful, see the section Changing Si3 encryption password.
  • After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the command gc recreate all as shown below. Such subsequent encryption can take a long time depending on the occupancy level of the data store (check the size of the occupied data store space – the Filled parameter).
  •  sm_dedup_interface -d <drive_number> gc recreate all

    Example: Gc recreate.jpg

Configuring Si3 encryption

Setting the encryption password is easy as you only need to specify it directly in the first drive properties.

  1. From Main selection -> Components, click Data Stores to display the data store contents frame.
  2. Select the preconfigured Si3 deduplication store and double-click it to open the properties.
  3. Under the Data Store properties, double-click the first drive of the Si3 V1 deduplication store. The Drive Properties window opens.
    Si3 drive properties Beefalo V2.jpg
  4. In the Encryption password field, specify the encryption password and repeat it.
  5. Click OK to set up the encryption password.

Once encryption is enabled, only the newly added data is encrypted while all previously existing data remains unencrypted by default.

SEP Tip.png Tip
You can encrypt all existing data later with the gc recreate all.

To check the encryption status, click the Si3 State tab in the data store properties.

Si3 state tab Beefalo V2.jpg

Changing Si3 encryption password

It is possible to change the encryption password if the encryption status is successful (Encryption process status: OK). When you set up a new encryption password, the data is first decrypted with the previous password and then re-encrypted with a new password. Re-encryption is only allowed if the encryption status is as follows: Encryption process status: One password for all DDLs.

The procedure for changing the Si3 encryption password in the current SEP sesam version is the same as the procedure for setting the encryption password in the drive properties.

  1. From Main selection -> Components, click Data Stores to display the data store contents frame.
  2. Select the preconfigured Si3 deduplication store and double-click it to open the properties.
  3. Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.
  4. In the Encryption password field, specify a new encryption password and repeat it.
  5. Click OK to set up a new encryption password.

Encryption behavior during SDS replication

Si3 encryption is implemented in the file system read-write method. As a result, internal processing works with the raw data. When replicating an encrypted store, the data is not transferred to the RDS in encrypted state. The data is first decrypted on the source Si3 and then re-encrypted on the target Si3.
To ensure absolute security during replication from the source Si3 to the target Si3, a secure VPN connection must be used for communication.