Using encryption keys with Cloud deduplication Storage devices

Problem

Using encryption keys with Cloud deduplication Storage devices

Solution

Backup Exec allows creation of encrypted Cloud Deduplication Storage devices.

1. Cloud Deduplication Storage Devices can only be configured with the 256-bit AES (PBKDF2) key which should be a non-restricted key. No other type of keys are allowed to be used with Cloud Deduplication Storage Devices.

2. While configuring a cloud deduplication storage device, you should select the Enable Deduplication to Cloud and Enable Encryption option to allow using a Encryption key with the device. In the Encryption Key drop down select an existing key, or use Add Keys to add a new encryption key.

3. All such Cloud Deduplication Storage Devices created on a media server would use the same encryption key. If the encryption key is changed for one cloud deduplication storage device, the change will be applied to all other existing cloud deduplication device present on that media server.

4. An encryption key should be provided during creation of first cloud deduplication storage with encryption enabled. For subsequent cloud deduplication storage devices creation, same encryption key is used.

5. In order to change the encryption key used by a cloud Deduplication storage, double click on the storage to go to properties page. Change "Encryption Key" to a different key from the drop down list or add a new key to the list, from the properties page. Restart Backup Exec services after applying the change.

6. Note that editing the key for a cloud deduplication storage will change the key for all other cloud deduplication storage.

The encryption key once used with a cloud deduplication storage can never be deleted. Backup Exec does not allow deletion of such key from the Backup Exec UI. All the encryption keys ever used with the storage are required for disaster recovery. Any loss of key passphrase or salt can lead to loss of data.