Unitrends Encryption technology offers IT administrators a solution for regulatory and corporate requirements to protect their employer’s data from unauthorized access and theft. All data remains encrypted until a request is made to restore the data. If the correct passphrases are in place, recovery proceeds without administrator involvement.
The Unitrends solution offers and supports:
• | Encryption per client |
• | Ability to change passphrases |
• | Passphrase management tool to help administrators avoid losing passphrases |
• | Replication of encrypted data |
• | Archiving of encrypted data |
Points to consider before turning on Encryption:
• | Encryption will degrade performance slightly for backups, replication, and restores. It should be done only if you really need to hide your data. |
• | Make sure to keep the passphrase secure because if you forget the passphrase there is no way to recover it or restore any past backups. |
• | In legacy vaulting systems, when you toggle encryption from on to off or vice versa, or when you change the passphrase, the next master backup for encrypted clients will have to replicate to the target system in whole - we cannot send only the changed blocks because toggling encryption and changing the key makes all the blocks look like they have changed. This is not the case in replicating systems since backups are decrypted before being scanned for changed blocks. |
• | To enable software encryption, the system software license feature string must include ENC. Check the license feature string by navigating to Settings > System, Updates, and Licensing > License. |
• | Once encryption has been enabled and configured for a client, that client’s subsequent backups are encrypted. Any backups stored on the system prior to configuring encryption remain unencrypted, as encryption is done during the backup process. |
See the following topics for details:
1 | Select Settings > System Monitoring > Encryption. |
2 | Enter a passphrase in the Passphrase and Verify Passphrase fields, and click Confirm. |
The passphrase can be a word, numbers, a sentence, or a combination of all. Once you create a passphrase you are logged in. This authenticates the user.
The passphrase is saved in a master key file. All the passphrases you set are stored in the master key file in encrypted format. Any time you restart the Encryption Manager, you are asked to provide this passphrase.
3 | To start the encryption process, change the Encryption State to On. There are two options for enabling the Encryption Manager, On (will be off after reboot) or On (will be turned on again after reboot). |
Note: After a reboot (if not set to turn on automatically), or after a Disaster Recovery, all backups and restores of clients set for encryption will fail until you restart the Encryption Manager and log in again.
4 | Burn the master key file to a CD by doing one of the following: |
• | For Unitrends Backup and Recovery-943 systems, click Backup to save the passphrase to the system’s baremetals share. Map the system’s baremetals share to a workstation that has a CD burner and burn the crypt_image.iso key file to a CD. (For details, see To map the system baremetals share.) If you have trouble writing to the CD, save the key file to a local share on the workstation and try again. |
• | For other Recovery Series systems, click Backup, insert a CD into the Recovery Series system, then click Okay to write the key file to the CD. |
5 | Once the master key file has been copied over to CD, make sure to keep the CD in a safe place. The CD may be required in case of a system failure to restore the master key file. |
Note: The master key is included as part of the appliance state backup for systems running version 7.0 or higher, or as part of the system state on systems running older versions. This information is included with any replication or legacy vaulting operation, and is copied to an archive device with any archive operation.
6 | Proceed to To configure backups for encryption to enable encryption for each client. (This step may not be necessary if configuring encryption on a replication target system.) |
Once the Encryption daemon has been started, turn on encryption for each client whose backups should be encrypted. Note that encryption is done during the backup. Once encryption is configured for a client, its subsequent backups are encrypted. Any existing backups for the client remain unencrypted.
1 | Select Settings > Clients, Networking, and Notifications > Clients. |
2 | Select the client whose backups you want to encrypt and check the All backups performed on this computer are to be encrypted box. |
3 | Click Setup to save the client settings. |
Once turned on for a client, all subsequent backups to a D2D device are encrypted. (Any existing backups remain unencrypted.)This applies to all:
• | Master backups |
• | Differential backups |
• | Incremental backups |
• | Selective backups |
• | Microsoft SQL database backups |
• | Microsoft Exchange Information Store backups |
• | Bare metal backups |
• | VMware backups |
• | Local directories on the system |
If you enable encryption on a client before enabling encryption on the system, you receive an error message. If the Encryption Manager is not satisfied with a successful master passphrase, any subsequent backups or restores fails.
1 | Select Settings > System Monitoring > Encryption. |
2 | If desired, modify the Encryption State by selecting an option. |
3 | To change the passphrase, click Change and Yes to confirm. |
Warning! If the Encryption Manager is running (backups, restores, or replication jobs are in progress), wait for those tasks to complete before changing the passphrase. If replicating, changing the passphrase can use a tremendous amount of bandwidth. Plan your passphrase change carefully.
4 | Enter the passphrase in the Current Passphrase field, and the new phrase in the New Passphrase and Verify Passphrase fields, then click Confirm. |
1 | View backup details as described in To view backup details. |
2 | On the Backup Information page, check the Encryption category. Yes is encrypted, No is not encrypted. |
To restore the master key file from the CD, you will need to insert the CD in the CD ROM drive and copy the master key file (cryptoDaemonMasterKeys) to /var/lib/misc. At this point only backups up to the time that the CD was created can be restored. Note, the current passphrase is NOT stored on the off-premise system or the archive drives. You are required to enter the current passphrase in the administrators interface to unlock the keys.
1 | From a Windows workstation, launch Explorer. |
2 | Right-click Computer and select Map Network Drive. |
3 | In the Folder field, enter the system’s IP address and baremetals share, then click Finish. For example, to map IP 192.168.220.99, enter: \\192.168.220.99\baremetals. |
The system’s baremetals share is mapped to your workstation. Click the share to view the crypt_image.iso file.
If you have configured your archive schedule or Archive Now job for encryption, data being archived from the system to the tape or disk will be in an encrypted format. The master key file is archived as a part of the state. During an archive restore, once the master key is restored the data can be successfully restored to the system in the encrypted state as long as the passphrase set at the time of archive is used. For more details, see the Archiving Overview chapter.
Encryption is not supported on Small Form Factors (SFF).
If the passphrase is forgotten, there is no way to retrieve it. There will be no way to restore an encrypted backup in such a case.
No encryption or decryption is performed on the client.
No encryption or decryption is performed on a legacy vault system. (Replicated backups are encrypted on the target system using the target’s encryption key.)
The following types of backups are not encrypted:
• | Legacy MS Exchange Information Store backups |
• | CEP brick level backups |
• | Any data stored on the system via Samba or NFS |