Welcome to Dell Technologies Data Domain How to Series.
How to enable encryption on Data Domain. Reference Dell Knowledge Base article #000019875. The DD encryption software option provides an inline encryption capability that encrypts the incoming data and stores the data on the disk in an encrypted format.
Encryption of data at rest is all about encrypting the data, which resides on the disk subsystem. Enabling the encryption of data at rest has a small impact on the performance of global cleaning.
This is because data which needs to be read from existing containers on disk and written to new containers may need to be read, decrypted, and uncompressed before being re-compressed, encrypted, and written back out to disk. While enabling encryption, a passphrase needs to be set.
The passphrase is a human-readable (understandable) key, like a smart card, which is used to generate a machine-useable AES 256 encryption key.
General steps that will be accomplished: 1) Log in to Data Domain GUI or CLI. 2) Check if DD has an encryption license available. 3) Check if the passphrase is already set. 4) Enable encryption on DD. Select an algorithm if you do not want the default one. 5) Restart the file system. 6) Check the status of the encryption. Once the DD encryption is enabled, we need to restart the File System.
This will require a downtime of approximately 15 to 20 minutes. We can force DDFS to encrypt the pre-existing data using the apply-changes command: # "filesys encryption apply-changes".
The first global cleaning cycle after running filesys encryption apply-changes may take significantly longer than normal. Customers should ensure that they have sufficient free space on their DD system to allow cleaning to run to completion without the DD system becoming full.
Otherwise, backups will fail. Demonstration: How to enable encryption on Data Domain. Log in to "Data Domain CLI". To verify if there is an encryption license present, go to the SE mode. Check for the serial number. Run "priv set se".
Enter security credentials if asked. Enter the serial number. To verify the license, run "elicense show". The license should show as "active". If the security user credential is not asked for, run "user show list" and check if the security user account is there.
If not, create one using command user add sec user role security. Verify if there is a passphrase set on the system. Run "system passphrase set".
It's mandatory to store the passphrase safely for the future, or else you might lose all system data as there is no way to recover or reset a lost passphrase.
If there is no passphrase, you can set it at the time of enabling encryption. To enable encryption, run "filesys encryption enable". It is required to restart the file system after enabling encryption.
Make sure there are no backups or replication running on the system. It requires a downtime of around 10 minutes to apply changes. Restart the file system if nothing is running on the system.
Run command "filesys restart". Once the file system is restarted, run "filesys encryption show" to verify if encryption is enabled or not. The file system shows "Enabled".
These are the Knowledge Base articles which can be referred to for more information: KB 186091 "Security user creation", KB 13839 "Security user authorization", and KB 19730 "Passphrase set".
Thank you for watching.
