Users Guide
Managing security
The Core can encrypt protected machine snapshot data within the repository. Instead of encrypting the entire repository, you
can specify an encryption key during the protection of a machine in a repository which lets the keys be reused for different
protected machines. Encryption does not affect performance, as each active encryption key creates an encryption domain, thus
letting a single core support multitenancy by hosting multiple encryption domains. In a multi-tenant environment, data is
partitioned and deduplicated within the encryption domains. Because you manage the encryption keys, loss of the volume
cannot leak the keys. Key security concepts and considerations include:
● Encryption is performed using 256 bit AES in Cipher Block Chaining (CBC) mode that is compliant with SHA-3.
● Deduplication operates within an encryption domain to ensure privacy.
● Encryption is performed without impact on performance.
● You can add, remove, import, export, modify, and delete encryption keys that are configured on the Core.
● There is no limit to the number of encryption keys you can create on the Core.
Applying or removing encryption from a protected machine
You can secure the data protected on your Core at any time by defining an encryption key and applying it to one or more
protected machines in your repository. You can apply a single encryption key to any number of protected machines, but any
protected machine can only use one encryption key at a time.
The scope of deduplication in Rapid Recovery is limited to protected machines using the same repository and encryption key.
Therefore, to maximize the value of deduplication, Dell recommends applying a single encryption key to as many protected
machines as is practical. However, there is no limit to the number of encryption keys you can create on the Core. Thus, if legal
compliance, security rules, privacy policies, or other circumstances require it, you can add and manage any number of encryption
keys. You could then apply each key to only one protected machine, or any set of machines in your repository.
Any time you apply an encryption key to a protected machine, or dissociate an encryption key from a protected machine, Rapid
Recovery takes a new base image for that machine upon the next scheduled or forced snapshot. The data stored in that base
image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced
encryption standard. There are no known methods for compromising this method of encryption.
If you change the name or passphrase for an existing encryption key currently used to a protected machine, then upon the next
scheduled or forced snapshot, Rapid Recovery Core captures and reflects the updated properties of the key. The data stored in
that image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit
advanced encryption standard. There are no known methods for compromising this method of encryption.
Once an encryption key is created and applied to a protected machine, there are two concepts involved in removing that
encryption. The first is to disassociate the key from the protected machine. Optionally, once the encryption key is disassociated
from all protected machines, it can be deleted from the Rapid Recovery Core.
This section includes the following topics:
● Associating an encryption key with a protected machine on page 71
● Applying an encryption key from the Protected Machines page on page 72
● Disassociating an encryption key from a protected machine on page 73
Associating an encryption key with a protected machine
You can apply an encryption key to a protected machine using either of two methods:
● As part of protecting a machine. When using this method, you can apply encryption to one or multiple machines
simultaneously. This method lets you add a new encryption key, or apply an existing key to the selected machine or
machines.
To use encryption when first defining protection for a machine, you must select the advanced options in the relevant Protect
Machines Wizard. This selection adds an Encryption page to the wizard workflow. From this page, select Enable
encryption, and then select an existing encryption key or specify parameters for a new key. For more information, see
Protecting a machine on page 122 or About protecting multiple machines on page 145, respectively.
● By modifying the configuration settings for a machine. This method applies an encryption key to one protected
machine at a time. There are two approaches for modifying configuration settings for a machine in the Rapid Recovery UI:
Working with the DL Appliance Core
71