Data at rest encryption, Data in flight encryption, Secure erase – HP StoreOnce Backup User Manual
Page 18
Data at Rest Encryption
When enabled, the Data at Rest Encryption security feature protects data at rest on a stolen,
discarded, or replaced disk from forensic attack.
Creation of a new VTL library, Catalyst store, or NAS share provides the option to enable encryption
if the security features license was already applied. Once enabled, encryption will automatically
be performed on the data before it is written to disk. Encryption cannot be disabled once it is
configured for a library, Catalyst store, or NAS share.
When creating an encrypted library, Catalyst store, or NAS share, the key store is updated with
the encryption key. This key store may be backed up and saved securely offsite in case the original
key store is corrupted. However, keep only the latest version of the key store as a backup. The key
store on the StoreOnce Backup system is updated each time you create a library, Catalyst store,
or NAS share. The StoreOnce CLI command that backs up the key store also encrypts it, ensuring
it can only be decrypted by the HP StoreOnce backup system.
NOTE:
Each configured library, Catalyst store, or NAS share uses a different key. The StoreOnce
software automatically tracks which key is relevant to which device in the Key Store File. Keys are
automatically re-applied to the correct device if the key store file is restored.
IMPORTANT:
Be very diligent about backing up your keystore if you are creating encrypted
stores or libraries. See the HP StoreOnce Backup system CLI Reference Guide for more information
about the StoreOnce CLI commands for backing up and restoring key stores.
Data in Flight Encryption
When enabled, the Data in Flight Encryption security feature protects data that is in transit from
forensic attack using the IPsec protocol. The data can be moving between two StoreOnce Backup
appliances or a StoreOnce Backup appliance and a backup server.
Data in Flight Encryption is configured using the net [add/modify/delete] encryption
commands in the CLI; see the HP StoreOnce Backup system CLI Reference Guide for more
information.
Secure Erase
Secure Erase can be enabled for all store types. This feature enables allows secure erasure of data
that was backed up as part of a regular backup job. The Secure Erase feature can only be enabled
after store or library creation (edit the store or library to enable Secure Erase). All data written to
disk once Secure Erase is enabled will be securely erased upon data deletion. For example, you
may have unintentionally backed up confidential data and need to be sure that it has been securely
erased. Work with the backup application to trigger the Secure Erase, for example by forcing the
format of a cartridge. The backup application sends the request to delete the data and the deletion
is carried out as part of the Housekeeping function.
WARNING!
To immediately remove data, ensure the backup application is configured correctly.
Rotation and retention policies may need to be revisited to ensure that the data is expired.
NOTE:
The Secure Erase process may take some time depending on the Housekeeping workload.
Only chunks not referenced by any other items can be securely erased. If a chunk is referenced
by another item which is not marked for Secure Erase, then the referenced chunk will not be erased,
securely or otherwise. Use the backup application when performing a Secure Erase on stores,
shares, or libraries that have Secure Erase enabled.
See
for information on how to apply the Security license for these features.
18
Getting started