Data Domain: Encryption Frequently Asked Questions

Summary: This knowledge article provides a collection of frequently asked questions (FAQ) about Data Domain Data At Rest Encryption (DARE) in a consolidated location for ease of reference.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Table of Contents

|
 
 

Encryption Configuration

Question: How is Data At Rest Encryption (DARE) configured on Data Domain?

Answer: DARE can be configured with the following steps:
  1. Add an Encryption License.
    1. Have a license file with a valid Encryption license added to it.
    2. Use the below command to update the e-license in the Data Domain using the license file available: 
      # elicense update
  2. Add a security officer and enable security officer authorizations.
    1. Add a user with the "security" role (if one does not already exist) using the command: 
      # user add <username> role security
    2. Enable Security Officer Authorization by logging in as the security officer and running the command: 
      > authorization policy set security-officer enabled
  3. Switch back to an admin account and enable DARE by running the command: 
    # filesys encryption enable

Question: Which platforms are supported with DARE?

Answer: The DARE feature is supported on all Data Domain systems, except for Encryption Disablement Project (EDP) systems.
 

Question: How can I store data in clear text on the Data Domain?

Answer: Users can ensure that the data is saved in clear text and not encrypted in the Data Domain by confirming that encryption is turned off in the setup.
Encryption can be disabled in Data Domain using the command:
# filesys encryption disable
 

Question: Which backup applications and protocols are supported with DARE?

Answer: The DARE feature is independent of the underlying backup application or the protocol used by the Data Domain.
 

Question: Which encryption algorithms can be used?

Answer: The Data Domain encryption software supports AES 128- or 256-bit algorithms using Cipher Block Chaining (CBC) or Galois Counter Mode (GCM).
 
GCM is a mode of operation for symmetric key cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and privacy (confidentiality). As the name suggests, GCM combines the well-known counter mode of encryption with the new Galois mode of authentication. The authentication aspect of GCM guarantees that the data that was encrypted was done so by the Data Domain system and was not "injected" by some other means. This differs from CBC where data is encrypted (privacy aspect), but there is no check for the authenticity of the encrypted data.
 
In CBC mode, each block of plain text is exclusive ORed (XOR) with the previous cipher text block before being encrypted. This way, each cipher text block depends on all plain text blocks processed up to that point. Also, to make each message unique, an initialization vector must be used in the first block. CBC only guarantees the privacy (confidentiality) of the data through encryption. No authentication of the encryption algorithm or process is done.
 

Question: How can the encryption algorithm be changed?

Answer: Use the below command to set a specific encryption algorithm:
# filesys encryption algorithm set {aes_128_cbc | aes_256_cbc | aes_128_gcm | aes_256_gcm}
 

Question: How do I ensure that encryption is done on preexisting data once encryption is enabled?

Answer: We can force the Data Domain file system to encrypt the preexisting data using the below command:
# filesys encryption apply-changes
 
This makes the next clean cycle considerably longer and more resource-intensive than normal.
 

Question: How do I disable encryption?

Answer: Disable the encryption feature in the Data Domain using the following command:
# filesys encryption disable
 
This only disables encryption for incoming data. Existing encrypted data remains encrypted until it is manually decrypted using the command 'filesys encryption apply-changes'.
 

Question: Which encryption commands require a file system restart in order to take effect?

Answer: The following encryption commands require a file system restart in order to take effect:
  • filesys encryption enable|disable - Enables or disables encryption on the Data Domain.
  • filesys encryption algorithm set - Allows the user to select a cryptographic algorithm.
  • filesys encryption algorithm reset - Resets the encryption algorithm to AES 256 in CBC mode (the default).
 

Question: Which encryption commands require disabling the file system in order to set or use them?

Answer: The Data Domain file system must be disabled in order to set or use the following encryption commands:
  • encryption passphrase change
  • encryption lock|unlock

General Encryption Questions

Question: Is DARE supported on all Data Domain systems?

Answer: The DARE software option is supported on Data Domain systems that are not part of the encryption disablement project (EDP). These systems that do not allow encryption to be enabled, and are mainly sold in the Russia region.
 

Question: How is cryptography performed on Data Domain systems?

Answer: Cryptography is done using the OpenSSL and RSA BSafe libraries. RSA BSafe is a FIPS 140-2 validated cryptography library.
 

Question: What version of BSafe does Data Domain use?

Answer: As of DDOS 7.10, the BSafe versions in use are "BSAFE Micro Edition Suite 4.4.0.0" and "BSAFE Crypto-C Micro Edition: 4.1.4.0."
 

Question: What are the available user interfaces to configure encryption in DDOS?

Answer: Encryption can be configured using the command line, web interface, or by using REST APIs. REST API support was added in DDOS release 8.0.
 

Question: Is selective encryption of data possible? Like only one mtree or file?

Answer: Selective encryption is NOT possible. Encryption can only be enabled or disabled systemwide and not selectively. For systems with cloud support, encryption can be enabled or disabled at the cloud tier and cloud unit level.
 

Question: Are any cryptographic keys or account passwords transmitted or stored in clear text or under weak ciphers, such as when an entity authenticates, in datafile, in programs, or in authentication directories?

Answer: Absolutely Not.
 

Question: What version of OpenSSL does Data Domain use?

Answer: As of DDOS 7.10, the OpenSSL version is "OpenSSL 1.0.2zd-fips."
 

Question: How does DARE protect against data access from users and applications?

Answer:
  • Encryption of data at rest is all about encrypting the data, which resides on the disk subsystem. Encryption or decryption happens at the compression layer. Users or applications send and receive clear text data to the Data Domain, but any data physically residing on the Data Domain is encrypted.
  • All encryption occurs below the file system and namespace and is invisible to the users or applications. If a user or application already has authorized access to a file or directory, the data can be read in its native format regardless of encryption.
  • Data Domain encryption is designed such that if an intruder circumvents other network security controls and gains access to encrypted data, the data is unreadable and unusable to that person without the proper cryptographic keys.

Question: Does encryption happen after deduplication?

Answer: Yes, encryption happens on deduplicated data. Data is encrypted before being stored on the disk.
 

Question: How does the Data Domain ensure the security of the data?

Answer: Data is secured using the DARE feature. In addition, when the device is removed (head-swap, file system lock) the passphrase is removed from the system. This passphrase is used to encrypt encryption keys, so the data is further protected.
 

Question: What alerts are generated with encryption?

Answer: Alerts are generated in the following cases:
  • When there are compromised encryption keys present
  • When the encryption key table is full and no more keys can be added to the system
  • When auto key exporting fails
  • When automated key rotation fails
  • When encryption is disabled
  • When the system passphrase is changed

Question: Is there any security certification for DDOS?

Answer: Data Domain systems meet with FIPS 140-2 compliance.
 

Question: Where is the encryption key stored?

Answer: Encryption keys are stored persistently in a collection partition in the DDOS.
 

Question: If someone pulls out a hard drive from a Data Domain, can they decrypt data from it?

Answer: Encryption keys are encrypted using the system passphrase, which is stored in the system head. Even though encryption keys are stored in the disk, encryption keys cannot be decrypted without the system passphrase. So without knowing the key which used to encrypt the data, decryption is not possible from a hard drive.
 

Question: What cryptographic keys and passwords are needed for recovery, especially for disaster recovery?

Answer: Keys can be exported to a secure file and kept external to the system. Recovery of this file is done with the help of engineering. Also at the time of recovery, the customer must know the passphrase that was used with the keys export command.
 

Question: How can the file system be locked before moving the system to a different location?

Answer: Below is the procedure for locking the system:
  1. Disable the file system: 
    # filesys disable
  2. Lock the file system and enter a new passphrase (this requires authentication with a security user): 
    # filesys encryption lock
This command requires authorization by a user having a 'security' role.
Please present credentials for such a user below.
        Username: secuser
        Password:
Enter the current passphrase:
Enter new passphrase:
Re-enter new passphrase:
Passphrases matched.
The filesystem is now locked.
    1. The new passphrase must NOT be lost or forgotten. Without this passphrase, the file system cannot be unlocked, meaning that data on the Data Domain is inaccessible.
  3. To unlock the system when it reaches a remote location, use the below command: 
    # filesys encryption unlock
This command requires authorization by a user having a 'security' role.
Please present credentials for such a user below.
        Username: secuser
        Password:
Enter the passphrase:
The passphrase has been verified. Use 'filesys enable' to start the filesystem.
  4. The file system can now be enabled and used as normal.
Answer: No, file system encryption and storage sanitization are two independent features.
 

Question: Is over-the-wire encryption supported for EDP systems?

Answer: DARE and over-the-wire encryption are not supported for EDP systems.
 

System Passphrase

Question: What is the system passphrase?

Answer: DDOS is able to secure credentials within the system by setting a system-level passphrase. The passphrase is a human-readable key, like a smart card, which is used to generate a machine-usable AES 256 encryption key.
 
It provides two benefits:
  • It allows the administrator to change the passphrase without having to manipulate the encryption keys. Changing the passphrase indirectly changes the encryption of the keys, but does not affect user data. Changing the passphrase does not change the underlying Data Domain system encryption key. It changes the encryption of the Data Domain system key, but the system key stays the same.
  • It allows a physical Data Domain system to be shipped with an encryption key on the system but without the passphrase being stored on it. This way if the box is stolen in transit, an attacker cannot easily recover the data since the system only has encrypted keys and encrypted data.
The passphrase is stored internally on a hidden part of the Data Domain storage system. This allows the Data Domain system to boot and continue providing data access without administrator intervention.
 
Creating or changing the passphrase:
  • The system passphrase can be created using the CLI after an administrator authenticates with the Data Domain.
  • The system passphrase can be changed using the CLI after an administrator and a security role user (like a security officer) authenticate with the Data Domain. This means that no single administrator can make changes independently.
 

Question: When is the passphrase used?

Answer: The system passphrase is used as a primary key by various DDOS components, including file system encryption, cloud access, certificate management, DD Boost tokens, system configuration modules in scale-out environments, and licensing information. DDOS provides mechanisms to set and modify this system passphrase. It also provides options to control whether the system passphrase is stored on disk, which is especially used for enhanced security when the Data Domain is being transported.
 

Question: How is the passphrase used for secure transport of the Data Domain?

Answer: The process uses the 'filesys encryption lock' command, which allows the user to lock the file system by changing the passphrase. The user enters a new passphrase that reencrypts the encryption key, but the new passphrase is not stored. The encryption keys are not recoverable until the file system is unlocked using the 'filesys encryption unlock' command.
 
The process is described in the Data Domain Security Configuration Guides.
 

Question: What happens if the passphrase changes? Can data still be accessed?

Answer: Yes, changing the passphrase does not change the underlying Data Domain system encryption key, only the encryption of the encryption key. As such, data access is not impacted.
 

Question: How can I find out if a passphrase is set on the system?

Answer: If a passphrase is set on the system, running the 'system passphrase set' command throws an error indicating that the passphrase is already set.
 

Question: What happens if the passphrase is lost or forgotten?

Answer: If the customer loses the passphrase while the box is locked, they lose their data. There is no back-door or alternative way of getting access to it. Without a good process for managing that passphrase, this could happen accidentally and they would not be able to recover the key or data. However, the encrypted key can never be lost or corrupted because of the system's integrated protection mechanisms.
 

Question: Is there any mechanism to reset a lost system passphrase?

Answer: The system passphrase can be reset by force only in certain scenarios with the help of Customer Support. The force-update mechanism introduced in DDOS 7.2 can be used for this only if specific conditions are met. More details can be found in this article: Data Domain: How to Reset a lost system passphrase in DDOS v7.2 or later (log in to Dell Support required).
 

Question: Is there an option to avoid storing the system passphrase on the Data Domain?

Answer: The system passphrase is stored in a hidden location on the Data Domain system by default. The command 'system passphrase option store-on-disk' can be used to change this and avoid storing the passphrase on-disk.
 

Embedded Key Manager (EKM)

Top-level command:
# filesys encryption embedded-key-manager <option>
 

Question: Is key rotation supported with EKM?

Answer: Yes, key rotation per Data Domain system is supported with Embedded Key Manager. Through the UI or CLI the administrator can set up a key rotation period (weekly or monthly).
 

Question: Is there a charge for the embedded key management functionality?

Answer: There is no charge for this functionality. It is included as part of the standard Data Domain Encryption software license option.
 

Question: Can I switch from local to external key management?

Answer: Yes, external key managers can be enabled at any time. However, the local keys being used remain on the Data Domain. External key managers are not able to manage the local keys. Existing data does not require reencrypting. If compliance data must be reencrypted with EKM keys, then it must be done manually using 'filesys encryption apply-changes' with the new RW key. Destroying EKM keys after a switch is not mandatory.
 
Changing key managers automatically switches the active key to the key from KMIP.
Example of how the KMIP key MUID looks when a switch happens:
Key-ID     Key MUID                                                                    State                     Key Manger Type
1               be1                                                                    Deactivated               DataDomain

2               49664EE855DF71CB7DC08309414C2B4C76ECB112C8D10368C37966E4E2E38A68       Activated-RW              KeySecure
 

Question: What happens when when key rotation is disabled or enabled?

Answer: Key rotation is disabled by default. In that scenario all the data are encrypted with the existing active key. If key rotation is enabled, the data is encrypted with the latest active key based on the configured rotation frequency.
 

External Key Managers

Question: What external key managers does Data Domain support?

Answer: Data Domain supports the below external key managers:
  • Gemalto KeySecure (support added in DDOS release 7.2)
  • Vormetric (support added in DDOS release 7.3)
  • CipherTrust (support added in DDOS release 7.7)
  • IBM GKLM (support added in DDOS release 7.9)
 

Question: Is a separate license required to enable integration with an external key manager?

Answer: Yes, a separate license is needed from the respective vendor to integrate an external key manger with Data Domain.
 

Question: How many key managers can be used at a time?

Answer: Only one key manager can be active at any given time on a Data Domain.
 

Question: Where do I find more information about how to configure KMIP external key managers?

Answer: The KMIP Integration Guide for DDOS has detailed information about configuring the different external key managers supported by Data Domain.
 

Question: How are certificates managed for external key managers in Data Domain?

Answer: Configuring the external key manager requires generating a CA certificate (which can be self-signed or signed by third party) and a host certificate. Once configuration is done on the external key manager server, the CA certificate and host certificate must be imported to the Data Domain system. Then the external key manager can be configured and enabled.
 

Question: What is a Certificate Authority?

Answer: A Certificate Authority (CA) acts as the initially-trusted shared entity between peers, and issues signed certificates to make it possible for each party to trust the other. A certificate generally acts as the identity of a server or client.
 

Question: What is a CA-signed certificate? What is a local CA-signed certificate?

Answer: A CA-signed certificate is a certificate that has been issued and signed by a publicly trusted certificate authority (CA). A CA-signed certificate is trusted automatically. A local CA can issue signed certificates since the private signing key is stored inside the key manager system. An external CA does not store the private key. Instead, an external CA is used as a trusted entity for various interfaces and services inside the system.
 

Question: How do I create a certificate signing request on a Data Domain?

Answer: A Data Domain certificate signing request (CSR) can be generated using the below command. This way, the private key is never exposed to the external key manager.
# adminaccess certificate cert-signing-request
 

Question: Is it possible to switch between key managers?

Answer: Switching from external key manger to embedded key manager is allowed and is seamless. However, switching from embedded key manager to external key managers requires appropriate certificate installation and configuration. Switching between two external keys managers (for example: KMIP-CipherTrust, DSM-Ciphertrust, CipherTrust to GKLM) is also allowed. Migration of keys is also supported (See the KMIP Integration Guide for more details).
 

Question: What happens when external key manager connectivity goes down? Is my data still accessible?

Answer: Yes, data is still accessible when we cannot connect to the key manager, since a copy of the keys is also stored in the Data Domain. New keys cannot be created, and key states cannot be synced when there is no connectivity with the external key manager.
 

Question: Is there a way to store keys only in the external key manager and not on the Data Domain?

Answer: A copy of the keys is always stored in the Data Domain system for Data Invulnerability Architecture (DIA) purposes. This setting cannot be changed.
 

Question: Is there any performance impact from integration with KMIP?

Answer: No, there is no performance impact because of using external key managers.
 

Question: Is it possible to leverage the KMIP solution for selected Data Domains within the environment?

Answer: Yes, customers have complete flexibility in selecting the appropriate encryption methodology for their Data Domains. They can continue leveraging Data Domain's embedded key manager on some systems, and the encryption key rotation using KMIP on other systems within their environment.
 

Question: Is communication between the Data Domain and KMIP secure?

Answer: Yes, the Data Domain communicates over X509 certificate mutually authenticated sessions with the TLS. The Data Domain CLI can be used to import the appropriate X509 certificate into the Data Domain system. This certificate is then used to establish the secure channel between the Data Domain and KMIP.
 

Key Life-Cycle Management

Question: What key management capabilities exist with Data Domain encryption?

Answer: A key manager controls the generation, distribution, and life-cycle management of multiple encryption keys. A protection system can use either the embedded key manager or a KMIP-compliant external key manager. Only one key manager can be in effect at a time. When encryption is enabled on a protection system, the Embedded Key Manager is in effect by default. If an External Key Manager is configured, it replaces the embedded key manager and remains in effect until it is disabled manually. Switching from Embedded Key Manager to External Key Manager or vice versa results in a new key being added to the system. As of DDOS 7.1, this does not require a file system restart.
 

Question: What are the different key states on the Data Domain?

The different key states on the Data Domain are as follows:
  • Activated-RW: There is only one key in this state on a Data Domain at any given time, and it is used for reading and writing data. This key is also used by the garbage collection process to re-encrypt containers.
  • Pending-Activated: There is only one key in this state on a Data Domain at any given time. This identifies the key that will become Activated-RW after the next file system restart. This state exists only at the time of enabling encryption. Pending-activated keys are not created at any other time.
  • Activated-RO: External key managers can have multiple Activated keys. The most recent key is in Activated-RW, and the rest are in this state. Keys may go into this state on the Data Domain when it cannot sync state with the key manager.
  • Deactivated: This is used for reading existing data on the Data Domain system.
  • Compromised: When an external key manager key is compromised, it changes to this state after the next key sync.
  • Marked-For-Destroyed: When a customer marks a key for destruction, the key changes to this state. When garbage collection is run, all containers encrypted with Marked-For-Destroyed keys are re-encrypted using the Activated-RW key.
  • Destroyed: A key in the Marked-For-Destroyed state goes into this state when there is no data associated with it.
  • Destroyed-compromised: A key in the Compromised state goes into this state when there is no data associated with it.
 

Question: Can encryption keys be exported for disaster recovery?

Answer: Keys can be exported manually using the below command.
# filesys encryption keys export
 
Data Domain also exports keys by default when a new key is added, or when any key is deleted from the system.
 
Exported files are present in the /ddr/var/.security directory in an encrypted format. This file can be copied off of the Data Domain and stored in a safe location to use in any disaster recovery condition later.
 
Note: Importing keys for disaster recovery requires Customer Support intervention, as the restore process depends on the type of disaster encountered. We can import the exported key file using the following command. 
# filesys encryption keys import <filename>
 

Question: Is the key generated by KMIP stored on the Data Domain?

Answer: Yes, the encryption key obtained from the KMIP is stored in an encrypted fashion on the Data Domain.
 

Question: How is a key state change in the KMIP appliance applied to the Data Domain?

Answer: Key sync happens daily. If there is a new key available or the state of a key is changed, the sync updates the local key table. Data Domain receives key updates from the KMIP every day at midnight.
 

Question: Is it possible to manually synchronize the key states between the Data Domain and KMIP?

Answer: Yes, the Data Domain CLI or UI can be used to manually synchronize the key states between the Data Domain and KMIP. The command for this is 'filesys encryption keys sync'.
 

Question: Is it possible to change the time at which the Data Domain receives key updates from KMIP?

Answer: No, it is not possible to change the time at which the Data Domain receives key updates from the KMIP.
 

Question: Is there a limit to the number of keys stored on the Data Domain?

Answer: Starting from DDOS 7.8, the Data Domain system can have a maximum of 1,024 keys on the system. There is only one key in the Activated-RW state; all other keys can be in any other state.
 

Question: Can different keys be used for different datasets on Data Domain?

Answer: No, Data Domain only supports one active key in the system at a time. All incoming data are encrypted using the current active key. Keys cannot be controlled at a finer granularity (such as per-mtree).
 

Question: Is there any notification when the maximum key limit is reached?

Answer: Yes, an alert is raised when the maximum key limit of 1024 is reached.
 

Question: How can I clear the alert about the maximum key limit?

Answer: One of the keys must be deleted to clear the maximum key limit alert.
 

Question: Can I see the amount of data that is associated with a particular key on the Data Domain?

Answer: Yes, this can be seen on Data Domain, but cannot be seen on the KMIP server. The Data Domain CLI and the UI allow the user to see the amount of data associated with a particular key. The command for this is 'filesys encryption keys show summary'.
 

Question: Can I see the age of keys on the Data Domain?

Answer: Yes, it can be seen for EKM keys using the UI.
 

Question: Does the old key work even if the time period has lapsed for making the new key effective?

Answer: There is no expiration date for encryption keys. Old keys become read-only after key rotation, and they stay in the DDOS.
 

Question: Are encryption keys automatically deleted when there is no data associated with them on the Data Domain?

Answer: No, the key is not automatically deleted. The user has to explicitly delete the key using the Data Domain CLI or UI.
 

Question: Can a key be deleted even if there is data associated with it on the Data Domain?

Answer: No, if a key has any data associated with it, then it cannot be deleted. Data must be reencrypted with another key in order to delete a key that has data associated with it.
 

Question: If a key is deleted on the KMIP, is the key also deleted from the Data Domain's key list?

Answer: No, the user must independently delete the key by using the Data Domain CLI or UI.
 

Question: In a multi-site Data Domain environment, is a KMIP required at every location?

Answer: No, it is not necessary to have a KMIP at every site with a Data Domain. One KMIP server can be used for all of them. It is recommended to have a separate key class for each Data Domain system when they are using same KMIP server.
 

Question: If a key is compromised, is there a process to retrieve the data that is encrypted with the old key?

Answer: If this occurs, the customer must mark the key as compromised in the KMIP server. Then on the Data Domain:
  1. Run 'filesys encryption keys sync'.
  2. Run 'filesys encryption apply-changes'.
  3. Start a file system cleaning.
    1. Cleaning re-encrypts all the data that was encrypted with the compromised key using a newer key.
    2. Once cleaning is done, the old key state is changed to Compromised-Destroyed.
  4. Delete the old key.
 

Encryption and Replication

Question: Is Data Domain replication supported and interoperable with DARE?

Answer: Yes, Data Domain replication can be used with DARE. This enables encrypted data to be replicated using all different kinds of replication. Each type of replication works uniquely with encryption and offers the same level of security.
 

Question: Do the source and destination systems have to be running the same DDOS version to use encryption?

Answer: The source and destination can be on different DDOS version to use DARE with replication if they are compatible for replication (see Data Domain Administration Guide for the compatibility matrix).
 

Question: How does replication work with encryption?

Answer: It depends on which form of replication is being used.
 
If the configured replication is mtree replication (MREPL) or Managed File Replication (MFR):
  • DARE can be licensed or enabled on either the source or destination independently depending on what the customer wants to achieve.
  • When both source and destination have encryption enabled:
    • Data ingested to the source is encrypted with the source system encryption key.
    • The source decrypts the local data, re-encrypts it using the destination system encryption key, and then replicates the encrypted data to the destination.
  • When the source has encryption disabled, and the destination has encryption enabled:
    • Data ingested to the source is not encrypted.
    • When replicating, the source encrypts the data using the destination system's encryption key and then replicates the encrypted data to the destination system.
  • When the source has encryption enabled, and the destination has encryption disabled:
    • Data ingested to the source system is encrypted with the source system's encryption key.
    • The source decrypts the data and then replicates the unencrypted data to the destination system.
  • If encryption is enabled on the replica after replication context is set up, then any new segments now being replicated are encrypted at the source for the replica. Any segments residing on the replica prior to encryption being enabled are left in an unencrypted state unless changes are applied and cleaning is run on the destination.
 
If the configured replication is collection replication (CREPL):
  • Both the source and destination systems must be running same DDOS release.
  • Encryption must be either enabled or disabled on both. There cannot be a mismatch in encryption configuration also. Encryption keys are the same with source and destination.
  • When both source and destination have encryption enabled:
    • All data ingested to the source system is encrypted using source system encryption key.
    • When replicating, the source sends encrypted data to the destination system in its encrypted state.
    • The destination has the same key as the source since collection replication is all about an exact replica of the source system.
    • No data can be written to the destination outside of replication, as the destination is a read-only system.
  • When both source and destination both have encryption disabled:
    • Data ingested to source system is not encrypted.
    • When replicating, the source sends the data in an unencrypted state and it remains unencrypted at the destination.
    • No data can be written to the destination outside of replication, as the destination is a read-only system.
 

Question: Is the destination's key stored indefinitely on the source Data Domain?

Answer: The destination's encryption key is never stored on the source Data Domain system. It is only held in memory (encrypted) while the replication session is active. This applies to all types of replication except collection replication. In collection replication, the same set of encryption keys is present on both source and destination.
 

Question: Can encryption be enabled on a collection replication system after the replication context is established?

Answer: Yes, in this case encryption must be enabled in both source and destination. The replication context must be disabled in order to configure encryption. Any new segments replicated are encrypted on the replica. Any segments residing on the replica prior to encryption being enabled are left in an unencrypted state.
 

Question: Can DARE be enabled concurrently with the over-the-wire encryption feature for Data Domain replication?

Answer: Yes, both over-the-wire (OTW) encryption and DARE can be enabled concurrently to achieve different security goals.
 

Question: What happens if both DARE and OTW encryption are enabled concurrently?

Answer: The source first encrypts data using the destination encryption key. Then, already-encrypted data is encrypted a second time by OTW encryption while sending this data to its destination. At the destination, after OTW decryption is done, data is stored in an encrypted format that was encrypted using the destination's encryption key.
 

Question: When encryption is enabled on both the source and destination, must they have the same passphrase?

Answer: If the configured replication is collection replication, then the passphrase must be the same. For other kinds of replication (like MREPL, MFR), the systems can have different passphrases.
 

Question: With encryption enabled on the destination, do both the replicated data and data from some other access point (like through local backup) get encrypted? Is there a way to separate the two on the destination so that only the replicated directories are encrypted?

Answer: No, all data is encrypted at the destination regardless of entry point. Encryption cannot only be enabled or disabled at an mtree- or directory-level granularity. This is not applicable to CREPL.
 

Question: How is the key exchange done between source and destination during MREPL or MFR?

Answer: During the association phase of replication, the destination securely transmits its current encryption algorithm and key information to the source. Replication contexts are always authenticated with a shared secret. That shared secret is used to establish a "session" key using a Diffie-Hellman key exchange protocol. That session key is used to encrypt and decrypt the Data Domain encryption key.
 

Question: What type of algorithm does OTW encryption use to encrypt replication traffic?

Answer: When replication authentication-mode is set to "one-way" or "two-way," Ephemeral Diffie-Hellman (DHE) is used for session key exchange. Server authentication happens using RSA. AES 256-bit GCM cipher is used to encapsulate the replicated data over the wire. The encryption encapsulation layer is immediately removed when it lands on the destination system.
 
"One-way" indicates that only the destination certificate is certified. "Two-way" indicate that both the source and destination certificates are verified. Mutual trust must be established before you can use this authentication mode, and both sides of the connection must enable this feature for encryption to proceed.
 
When the replication authentication mode is set to "anonymous," Anonymous Diffie-Hellman (ADH) is used for session key exchange. In this case, the source and destination do not authenticate each other before the key exchange. "Anonymous" is used by default if the authentication mode is not specified.
 

Question: Does key rotation without a file system restart work with all types of replication?

Answer: Key rotation without a file system restart works with all types of replication except directory replication (which is no longer supported) and delta replication (also known as Low Bandwidth Optimization or LBO).
 

Question: How is the destination's encryption key protected during the key exchange in the absence of certificates or PKI key pairs?

Answer: There is a shared secret between all Data Domain replication pairs that is used to establish a shared session key using a Diffie-Hellman key exchange. That shared key is used to encrypt the destination's encryption key.
 
There is a difference between the shared secret used for replication authentication and the shared session key, which is allocated using the Diffie-Hellman key exchange protocol. The shared secret used for replication authentication is established by the Data Domain software the first time two Data Domains want to establish a replication context. It is also agreed upon through a Diffie-Hellman exchange using parameters embedded in the code. This is persistently stored in the systems to authenticate every replication session between the two systems. The replication session key (the key used to encrypt the destination's encryption key) is established using another Diffie-Hellman exchange with the previously established shared secret, thereby driving the secure key exchange protocol. This key is not persistent and is only around while the replication context is active.
 

Question: Are both systems in a replication pair required to use the same external key manager (like KMIP key manager) solution, or can one of the systems use external key manager and other can use embedded key manager?

Answer: Aside from collection replication, it is not necessary for both systems within a replication pair to use same key manager.
 
With collection replication, both Data Domain systems must be configured with the same key manager. However, only the source is syncing keys with the key manager, and those keys are sent over to the destination also. With other replication types, different key managers can be used with the source and destination.
 

Encryption and Migration

Question: Is data migration supported on systems with DARE enabled?

Answer: Yes, data migration is supported on systems with encryption enabled. Encryption configuration on source and destination systems must be matched as a prerequisite before data migration is initiated. It is also recommended to export and backup encryption keys on the source system for DIA purposes before migration is initiated.
 

Question: Are both active tier and cloud tier data migration supported with DARE enabled?

Answer: Yes, data migration is supported for both active tier and cloud tier migration for encryption-enabled systems. The list of prerequisite attributes checked is applied based on which tier has encryption enabled.
 

Question: Which encryption settings are preserved as part of migration?

Answer: Encrypted data and encryption keys are migrated as-is, but settings like the key manager, system passphrase, and other encryption configuration must be manually verified and matched for successful data migration. Any existing key manager certificates are also transferred to the destination system. Encryption key manager configuration must be set up again on the destination system after migration.
 

Question: What encryption compatibility checks are done between source and destination during migration?

Answer: System passphrase, encryption status, key manager configuration details, and system FIPS mode settings are some of the encryption settings that must be identical on source and destination systems for migration to be successful. This KB article (log in to Dell Support required) details the steps for migration between systems with cloud enabled. The same settings apply for active tier migration as well.
 

Question: Is migration supported between EDP systems?

Answer: Data migration is supported between two systems if either both are EDP or both are non-EDP. Data migration is allowed from an EDP system to a non-EDP system if OTW encryption is explicitly disabled using the MIGRATION_ENCRYPTION system parameter.
 

Encryption and Cloud Tier

Question: Is encryption supported for cloud tier?

Answer: Yes, encryption is supported for cloud tier. It is disabled by default. The 'cloud enable' command prompts to choose whether or not to enable encryption on the cloud tier.
 

Question: Are KMIP and External Key Managers supported with cloud tier?

Answer: Yes, KMIP and External Key Managers are supported with cloud tier from DDOS 7.8 onwards.
 

Question: At what granularity can encryption be enabled in the cloud?

Answer: Encryption can be enabled and disabled on each cloud unit and each tier independently.
 

Question: Do cloud units have independent keys?

Answer: No, key management is common to both active and cloud tiers in Data Domain. Keys are copied over to the respective unit, tier, or collection partition when encryption is enabled. If encryption is enabled on active and not on cloud, active tier keys do not reflect on cloud, and vice versa. This applies to the cloud units too. For example: If cp1 has encryption enabled, and cp2 does not have encryption enabled, then cp1 keys do not reflect on cp2.
 

Question: Can keys be deleted from the cloud?

Answer: No, deleting keys from the cloud is not supported.
 

Question: Where are data encryption keys managed for cloud units?

Answer: Keys are associated with a collection partition (CP), and each cloud unit is a different CP. A copy of keys from all CPs is stored in the active partition.
 

Question: How do I recover cloud keys during disaster recovery?

Answer: The cpnameval is mirrored to the cloud as part of the CP recovery, and the encryption keys are recovered to cpnameval. Then, the ddr_key_util tool is used to recover the keys.
 
Note: Disaster recovery requires Customer Support assistance.
 

Question: Can data movement run when encryption is enabled only for the cloud tier?

Answer: No, encryption must be enabled in both the cloud and active tiers for data movement to run.
 

Question: Can an external key manager be used with cloud tier?

Answer: Yes, external key manager can be used with cloud tier. This feature is supported from DDOS 7.8 onward. All operations (except for destroying or deleting a key that is used for the active tier) are also valid for cloud tier in terms of external key manager.
 

Encryption and Garbage Collection

Question: What role does the garbage collection (GC) process play in DARE? Is there a performance impact when enabling encryption for the first time?

Answer: Enabling DARE for the first time has an impact on GC performance. When GC runs, it reads data from existing containers on disk and writes it to new containers. After DARE is enabled, that data may require being read, decrypted, and uncompressed before being recompressed, encrypted, and written back out to disk. When encryption is enabled on a Data Domain holding a significant amount of preexisting data, and the 'filesys encryption apply-changes' command is run, the next GC cycle attempts to encrypt all existing data on the system. This means that all data must be read, uncompressed, compressed, encrypted, and written out to disk. As a result, the first GC after running 'filesys encryption apply-changes' may take longer than normal. Ensure that they have sufficient free space on the Data Domain system to allow cleaning to run to completion without the Data Domain system becoming full (otherwise backups fail).
 

Question: Is there a performance impact to ongoing clean cycles?

Answer: Yes, there is a performance impact. The impact generally depends on the amount of data being ingested and restored between clean cycles.
 

Question: How long does it take to encrypt existing data?

Use this KB article to estimate the time: Data Domain: Calculating how long encryption at rest takes to apply.
 

Encryption and Headswap

Question: If a Data Domain with DARE configured undergoes a headswap, are disks still accessible with the new head unit?

Answer: The encryption key is not tied to the Data Domain system head itself, so the disks can be moved to another Data Domain head and the key is still accessible there. The file system is locked on the new head and must be unlocked with the 'filesys encryption unlock' command and the system passphrase.
 

Question: What if the passphrase is lost at the time of the headswap operation?

Answer: If the passphrase is lost, connect the old head and work with support to reset the passphrase. Then connect back to the new head and finish the headswap procedure.
 

Encryption and Performance

Question: What is the observed impact on storage consumption when DARE is used?

Answer: The impact on storage consumption is negligible, with roughly 1% overhead associated with storing some encryption parameters with user data.
 

Question: What is the observed impact on throughput (writes and reads) when DARE is used?

Answer: The impact on ingest throughput when encryption is used can vary with the protocol and platform. In general, the following percentages are conservative performance degradations in aggregate throughput:
 
CBC Mode
  • First Full: ~10% performance degradation on writes
  • Incremental: ~5% performance degradation on writes
  • Restores: 5-20% performance degradation on reads
 
GCM Mode
  • First Full: 10-20% performance degradation on writes
  • Incremental: 5-10% performance degradation on writes
  • Restores: 5-20% performance degradation on reads
 
These numbers are specific to the overhead of data at rest encryption. Over the wire encryption is accounted for separately.
 

Best Practices

Question: What are best practices concerning key rotation policy?

Answer: Automated key rotation policy is not enabled by default. It is recommended to rotate encryption keys frequently. When a system is configured with an external KMIP key manager, it is advisable to rotate keys frequently to handle any key compromise scenarios in future. When KMIP is configured with cloud tier, the suggested key rotation interval is weekly; when KMIP is configured only for the active tier, the suggested key rotation policy is monthly. However, this may be increased or decreased based on ingestion rate. If the embedded key manager is configured, then a key rotation policy anywhere between 1-3 months is recommended.
 

Question: What are best practices with KMIP key class if the same KMIP server is used for many Data Domains?

Answer: It is recommended to have a separate key class for each Data Domain when they are using same KMIP server. That way, key rotation done on one system does not impact the state of the key present in other systems.

Additional Information

Other documentation related to Data Domain Encryption (Admin Guide, Command Reference Guide, and Security Config Guide) can be found here: PowerProtect and Data Domain core documents
 
Watch this video:

Affected Products

Data Domain, Data Domain

Products

Data Domain, Data Domain Encryption
Article Properties
Article Number: 000019875
Article Type: How To
Last Modified: 23 Apr 2026
Version:  12
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.