Encryption-at-rest with Your Encryption Key in Veritas Alta SaaS Protection

Description

• Certain functionality in Veritas Alta SaaS Protection will have limitations.
  • First, search indexing will not be able to open pre-encrypted content which will result in not having the ability for keyword searching and PII detection into the body contents.
  • Secondly, opening items via the End User Portal will require the encryption key in order to decrypt at the user's endpoint. 
     
• The Veritas Alta SaaS Protection Connector Service is where the encryption key is entered to encrypt data before Veritas Alta SaaS Protection uploads it to the cloud. Alternatively, the data could be encrypted before running Veritas Alta SaaS Protection against the data (just make sure not to lose the key). When using the Veritas Alta SaaS Protection Connector Service to encrypt before ingestion, the connector service stores the key locally and encrypts it using Windows BitLocker functionality on that machine.
   
• The Export Service, Export Utility, and Retrieval Service, all require the pre-ingest encryption key to be entered. This is so that these components which operate behind your firewall can transparently decrypt content retrieved from the Veritas Alta SaaS Protection tenant. As with the connector service, these components also use Windows BitLocker functionality to store the key encrypted on the local machine.

• This is not a retroactive option.  What this means is that encryption cannot be applied to data already in Veritas Alta SaaS Protection.  However, it is possible to enable the option on an existing connector but only new data being uploaded will be encrypted.  If this scenario applies, please open a support ticket. 

Provision a Stor with Pre-Ingest Encryption Option Enabled

In your Veritas Alta SaaS Protection tenant, you first need a Stor to be provisioned with the 'Support Pre-Ingest Encryption' option enabled. Only Veritas Alta SaaS Protection personnel can provision Stors; please open a support ticket for assistance. 

 

The reason a Stor needs this option is that it has an awareness of the items that are protected with pre-ingest encryption, giving you the ability to later identify and isolate such items (e.g. in a data management policy or validation report).

Add Your Key to the Connector Service

On the 'Configuration' tab in the Veritas Alta SaaS Protection console, there is a field to enter your 'Pre-ingest Encryption Key'. Click 'Save.'

 

Note: In order to configure the encryption key, you must be logged onto the server as the service account that is running the connector service.  Alternatively, while logged on as a different account, right-click on the connector service UI and choose the "logon as a different user".  

 

 

Create a Connector with 'Pre-ingest Encrypt' Enabled  

Next, in the Veritas Alta SaaS Protection console, click the 'Connectors' tab. Create a connector and configure its Stor to be the one that has the 'Support Pre-ingest Encryption' option enabled.

Then, enable the 'Pre-ingest Encrypt' option on the connector.

The connector is now configured to encrypt data that is uploaded via this connector and only the customer will have the key to open it. DO NOT LOSE THIS KEY.  Veritas does not have access to the key. 

For more information on how to configure a connector in the Veritas Alta SaaS Protection, see How to create connectors.