Home > Dell > System > Dell Appassure 5 User Guide

Dell Appassure 5 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Dell Appassure 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 518
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B89
    Applying or removing encryption from a 
    protected machine
    You can secure the data protected on your Core at any time by defining an encryption key and applying it to one 
    or more protected machines in your repository. You can apply a single encryption key to any number of 
    protected machines, but any protected machine can only use one encryption key at a time.
    The scope of deduplication in AppAssure is limited to protected machines using the same repository and 
    encryption key. Therefore, to maximize the value of deduplication, Dell recommends applying a single 
    encryption key to as many protected machines as is practical. However, there is no limit to the number of 
    encryption keys you can create on the Core. Thus, if legal compliance, security rules, privacy policies, or other 
    circumstances require it, you can add and manage any number of encryption keys. You could then apply each 
    key to only one protected machine, or any set of machines in your repository.
    Any time you apply an encryption key to a protected machine, or modify the properties of an encryption key 
    that is in use for one or more protected machines (including removing encryption), AppAssure takes a new base 
    image for that machine upon the next scheduled or forced snapshot. The data stored in that base image (and all 
    subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced 
    encryption standard. There are no known methods for compromising this method of encryption.
    Once an encryption key is created and applied to a protected machine, there are two concepts involved in 
    removing that encryption. The first is to disassociate the key from the protected machine. Optionally, once the 
    encryption key is disassociated from all protected machines, it can be deleted from the AppAssure Core.
    This section includes the following topics:
    •Associating an encryption key with a protected machine
    •Applying an encryption key from the Machines tab
    •Disassociating an encryption key from a protected machine
    Associating an encryption key with a protected 
    machine
    You can apply an encryption key to a protected machine using either of two methods:
    • As part of protecting a machine. When using this method, you can apply encryption to one or multiple 
    machines simultaneously. This method lets you add a new encryption key, or apply an existing key to the 
    selected machine or machines. 
    To use encryption when first defining protection for a machine, you must select the advanced options in 
    the relevant Protect Machines Wizard. This selection adds an Encryption page to the wizard workflow. 
    From this page, select Enable encryption, and then select an existing encryption key or specify 
    parameters for a new key. For more information, see Protecting a machine or Protecting multiple 
    machines, respectively. Table 43. Components of an encryption key
    Component Description
    Name This value is equivalent to the key name given when adding a key in the AppAssure Core Console.
    Key This parameter consists of 107 randomly generated English alphabetic, numeric, and 
    mathematical operator characters.
    ID The key ID consists of 26 randomly generated upper-case and lower-case English characters.
    Comment The comment contains the text of the key description entered when the key was created. 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B90 • By modifying the configuration settings for a machine. This method applies an encryption key to one 
    protected machine at a time. There are two approaches for modifying configuration settings for a 
    machine in the AppAssure UI:
    •Modify the Core settings in the Configuration tab for a specific protected machine. The 
    encryption key you want to use for this approach must already exist on the AppAssure Core. For 
    more information, see Viewing and modifying configuration settings.
    •Click the encryption icon on the Machines tab. Using this approach you can create and apply a 
    new encryption key, or assign an existing key to the specified protected machine. For more 
    information, see Applying an encryption key from the Machines tab.
    Applying an encryption key from the Machines tab
    Once an encryption key has been added to an AppAssure Core, it can be used for any number of protected 
    machines. 
    If you select an encryption key during the initial protection of one or more machines, that key is automatically 
    applied to any machines you protect using that wizard. In such cases, this procedure is not required.
    Perform this procedure if you added an encryption key using the process described in the topic Adding an 
    encryption key.
    To apply an encryption key
    1 Navigate to the AppAssure Core and click Protected Machines.
    The Machines tab appears, listing all the machines protected by this Core. An open lock appears for any 
    machine that does not have an encryption key applied. A closed lock indicates that a protected machine 
    has encryption applied.
    2 In the Protected Machines pane, click the lock icon for the protected machine you want to configure.
    The Encryption Configuration dialog box appears.
    3 Do one of the following:
    •If you want to apply an existing encryption key to this machine, from the Select Encryption Key 
    drop-down menu, select the appropriate key.
    •If you want to create a new encryption key and apply it to this protected machine, click Add New 
    Encryption Key. Then enter the details for the key as described in the following table.
    CAUTION: After you apply an encryption key to a protected machine, AppAssure takes a new base 
    image for that machine upon the next scheduled or forced snapshot.
    Table 44. New encryption key details
    Te x t  B o x D e s c r i p t i o n
    Name Enter a name for the encryption key.
    Encryption key names must contain between 1 and 130 alphanumeric 
    characters. Do not use prohibited characters or prohibited phrases.
    Description Enter a comment for the encryption key. This information appears in the 
    Description field when viewing encryption keys from the Configuration 
    tab of the AppAssure Core Console. Descriptions may contain up to 454 
    characters.
    Best practice is to avoid using prohibited characters and prohibited 
    phrases. 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B91 4Click OK.
    The dialog box closes. The encryption key you specified has been applied to future backups for this 
    protected machine, and the lock now appears as closed.
    Optionally, if you want the encryption key applied immediately, force a snapshot. For more information, 
    see Forcing a snapshot.
    Disassociating an encryption key from a protected 
    machine
    Once an encryption key is applied to a protected machine, all subsequent snapshot data stored in the AppAssure 
    Core is encrypted. 
    You can disassociate an encryption key from a protected machine. This action does not decrypt the existing 
    backup data, but does result in a new base image for that machine at the time of the next scheduled or forced 
    snapshot. 
    Perform this procedure to disassociate an encryption key from a specific protected machine.
    To disassociate an encryption key from a protected machine
    1 Navigate to the AppAssure Core and click Protected Machines.
    The Machines tab appears, listing all the machines protected by this Core. An open lock appears for any 
    machine that does not have an encryption key applied. A closed lock indicates that a protected machine 
    has encryption applied.
    2 In the Protected Machines pane, click the closed lock icon for the protected machine you want to 
    configure.
    The Encryption Configuration dialog box appears.
    3 From the Select Encryption Key drop-down menu, select (None) and then click OK.
    4 If you want to remove this encryption key from AppAssure Core, first repeat this procedure for all 
    protected machines using this key. Then perform the procedure described in the topic Removing an 
    encryption key. Passphrase Enter a passphrase used to control access. 
    Best practice is to avoid using prohibited characters.
    Record the passphrase in a secure location. Dell Support cannot recover a 
    passphrase. Once you create an encryption key and apply it to one or 
    more protected machines, you cannot recover data if you lose the 
    passphrase.
    Confirm Passphrase Re-enter the passphrase. It is used to confirm the passphrase entry.
    CAUTION: AppAssure uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256-
    bit keys. While using encryption is optional, Dell recommends that you establish an encryption key, 
    and that you protect the passphrase you define. Store the passphrase in a secure location as it is 
    critical for data recovery. Without a passphrase, data recovery is not possible.
    NOTE: If you want to remove an encryption key from the Core, as described in the topic Removing an 
    encryption key, you must first disassociate that encryption key from all protected machines. Table 44. New encryption key details
    Te x t  B o x D e s c r i p t i o n 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B92
    Managing encryption keys
    To manage encryption keys for the AppAssure Core, from the Configuration tab, click Security. The Encryption 
    Keys pane appears. For each encryption key added to your AppAssure Core (if any have been defined yet), you 
    see the information described in the following table.
    At the top level of the Encryption Keys pane, you can add an encryption key or import a key using a file 
    exported from another AppAssure Core.
    Once an encryption key exists for a Core, you can manage the existing keys by editing the name or description 
    properties; changing the passphrase; unlocking a locked encryption key; or removing the key from the 
    AppAssure Core. You can also export a key to a file, which can be imported into another AppAssure Core.
    When you add an encryption key from the Configuration tab, it appears in the list of encryption keys, but is not 
    applied to a specific protected machine. For information on how to apply an encryption key you create from the 
    Encryption Keys pane, or to delete a key entirely from the AppAssure Core, see Applying or removing encryption 
    from a protected machine. Table 45. Information about each encryption key
    UI Element Description
    Name The name associated with the encryption key.
    Thumbprint This parameter is a 26-character alphabetic string of randomly generated English 
    upper and lower case letters that helps uniquely identify each encryption key.
    Status Status describes the origin point of an encryption key and its ability to be 
    applied. An encryption key can contain one of two possible status conditions:
    Universal. Universal status is the default condition when you create an 
    encryption key. A key with a status of Universal, combined with a state of 
    Locked, indicates that the key can be applied to a protected machine. You 
    cannot manually lock a key with a status of Universal; instead, you must first 
    change its status as described in the procedure Changing encryption key status.
    Replication. When a protected machine in a source Core has encryption 
    enabled, and recovery points for that machine are replicated in a target Core, 
    any encryption keys used in the source appear automatically in the target Core 
    with a status of Replication. The default state after receiving a replicated key is 
    locked. You can unlock an encryption key with a status of Replication by 
    providing the passphrase. If a key has a status of Unlocked, you can manually 
    lock it. For more information, see the topic Locking or unlocking an encryption 
    key.
    State The state indicates whether an encryption key can be used. Two possible states 
    include:
    Unlocked. An Unlocked state indicates that the key can be used immediately. 
    For example, you can encrypt snapshots for a protected machine, or perform 
    data recovery from a replicated recovery point on the target Core.
    Locked. A Locked state indicates that the key cannot be used until it is unlocked 
    by providing the passphrase. Locked is the default state for a newly imported or 
    replicated encryption key.
    If the state of an encryption key is Locked, it must be unlocked before it can be 
    used.
    If you previously unlocked a locked encryption key, and the duration to remain 
    unlocked has expired, the state changes from Unlocked to Locked. After the key 
    locks automatically, you must unlock the key again in order to use it. For more 
    information, see the topic Locking or unlocking an encryption key.
    Description The description is an optional field that is recommended to provide useful 
    information about the encryption key such as its intended use or a passphrase 
    hint. 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B93 From the Encryption Keys pane, you can manage security for the backup data saved to the Core for any 
    protected machine in your repository by doing the following:
    •Adding an encryption key
    •Importing an encryption key
    •Locking or unlocking an encryption key
    •Editing an encryption key
    •Changing an encryption key passphrase
    •Exporting an encryption key
    •Removing an encryption key
    •Changing encryption key status
    Adding an encryption key
    After an encryption key is defined, you can use it to safeguard your data. Encryption keys can be used by any 
    number of protected machines.
    This step describes how to add an encryption key from the AppAssure Core Console. This process does not apply 
    the key to any machines currently being protected on the Core. You can also add an encryption key during the 
    process of protecting a machine. For more information on adding encryption as part of protecting one machine, 
    see Protecting a machine. For more information on adding encryption to two or more machines while initially 
    protecting them, see Protecting multiple machines.
    Complete the steps in this procedure to add an encryption key.
    To add an encryption key
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    The Encryption Keys page appears.
    2 From the Actions drop-down menu, select Add Encryption Key.
    The Create Encryption Key dialog box appears.
    3 In the Create Encryption Key dialog box, enter the details for the key as described in the following table.
    4Click OK.
    The dialog box closes and the encryption key you created is visible on the Encryption Keys page. Table 46. Create encryption key details.
    Te x t  B o x D e s c r i p t i o n
    Name Enter a name for the encryption key.
    Encryption key names must contain between 1 and 130 alphanumeric 
    characters. Do not use prohibited characters or prohibited phrases.
    Description Enter a comment for the encryption key.
    This information appears in the Description field when viewing encryption 
    keys from the Core Console. You can enter up to 254 characters.
    Best practice is to avoid using prohibited characters and prohibited phrases.
    Passphrase Enter a passphrase used to control access.
    Best practice is to avoid using prohibited characters.
    Record the passphrase in a secure location. Dell Support cannot recover a 
    passphrase. Once you create an encryption key and apply it to one or more 
    protected machines, you cannot recover data if you lose the passphrase.
    Confirm Passphrase Re-enter the passphrase. It is used to confirm the passphrase entry. 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B94 5 If you want to apply the encryption key to a protected machine, see Applying an encryption key from the 
    Machines tab.
    Importing an encryption key
    You can import an encryption key from another AppAssure Core and use that key to encrypt data for a protected 
    machine in your Core. To import the key, you must be able to access it from the Core machine, either locally or 
    through your network.
    Complete the steps in this procedure to import an encryption key. 
    To import an encryption key
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    The Encryption Keys page appears.
    2 From the Actions drop-down menu, select Import.
    The Import Key dialog box appears.
    3 In the Import Key dialog box, click Browse to locate the encryption key you want to import.
    The key filename starts with EncryptionKey-, followed by the key ID, and ending in the file extension 
    .key. For example, a sample encryption key name is EncryptionKey-RandomAlphabeticCharacters.key.
    4 Select the key you want to import, and then click Open.
    5 In the Import Key dialog box, click OK.
    The dialog box closes and the encryption key you imported is visible on the Encryption Keys page. If the 
    encryption key was used to protect a volume before it was exported, the state of the key is Locked.
    Locking or unlocking an encryption key
    Encryption keys may contain a state of unlocked or locked. An unlocked encryption key can be applied to a 
    protected machine to secure the backup data saved for that machine in the repository. From an AppAssure Core 
    using an unlocked encryption key, you can also recover data from a recovery point.
    When you import an encryption key into an AppAssure Core, its default state is Locked. This is true regardless of 
    whether you explicitly imported the key, or whether the encryption key was added to the AppAssure Core either 
    by replicating encrypted protected machines or by importing an archive of encrypted recovery points.
    For encryption keys added to the AppAssure Core by replication only, when you unlock a key you can specify a 
    duration of time (in hours, days, or months) for the encryption key to remain unlocked. Each day is based on a 
    24-hour period, starting from the time the unlock request is saved to the AppAssure Core. For example, if the 
    key is unlocked at 11:24 AM on Tuesday and the duration selected is 2 days, the key automatically re-locks at 
    11:24 AM that Thursday.
    You can also lock an unlocked encryption key, ensuring that it cannot be applied to any protected machine until 
    it is unlocked. To lock an encryption key with a state of Universal, you must first change its status to Replicated.
    CAUTION: AppAssure uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256-
    bit keys. While using encryption is optional, Dell recommends that you establish an encryption key, 
    and that you protect the passphrase you define. Store the passphrase in a secure location as it is 
    critical for data recovery. Without a passphrase, data recovery is not possible.
    NOTE: This procedure does not apply the key to any protected machines. For more information on 
    applying the key, see Applying an encryption key from the Machines tab.
    CAUTION: You cannot use a locked encryption key to recover data or to apply to a protected machine. 
    You must first provide the passphrase, thus unlocking the key.  
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B95 If an unlocked encryption key is currently being used to protect a machine in the Core, you must first 
    disassociate that encryption key from the protected machine before you can lock it.
    Complete the steps in this procedure to unlock a locked encryption key.
    To unlock an encryption key
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    The Encryption Keys page appears. The State column indicates which encryption keys are locked.
    2 From the Configuration drop-down menu for the encryption key that you want to unlock, select Unlock.
    The Unlock Key dialog box appears.
    3 In the Unlock Key dialog box, in the Passphrase field, enter the passphrase to unlock this key.
    4 To specify the length of time that the key remains unlocked, in the Duration option, do one of the 
    following:
    •To specify that the key remains unlocked until you explicitly lock it, AppAssure select Until 
    explicitly forgotten.
    This option is available for unlocking any encryption key.
    •To specify that the key remains locked for a duration which you configure:
    •Select the number field and, by typing or using the up and down arrow controls, specify an 
    integer.
    •In the duration field, select hours, days, or months, respectively.
    •Then click OK.
    This option is available for encryption keys added by replication.
    The dialog box closes and the changes for the selected encryption key are visible on the Encryption Keys 
    page.
    Complete the steps in this procedure to lock an encryption key.
    To lock an unlocked encryption key
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    The Encryption Keys page appears. The State column indicates which encryption keys are unlocked, and 
    shows the status for each key.
    2 If the status of the encryption key that you want to unlock is Universal, then from the Configuration 
    drop-down menu, select Change the encryption status to Replicated.
    The Change Encryption Key Status dialog box appears.
    3 In the Change Encryption Key Status dialog box, confirm that you want to change the status of the key to 
    Replicated.
    4 If you successfully changed the encryption key status to Replicated, then from the Configuration drop-
    down menu for the encryption key that you want to lock, select Lock.
    The Lock Key dialog box appears.
    5 In the Lock Key dialog box, confirm that you want to lock the key.
    The dialog box closes, and the state of the selected encryption key is now locked.
    NOTE: This option is available for encryption keys added by replication. 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B96
    Editing an encryption key
    After an encryption key is defined, you can edit the name of the encryption key or the description of the key. 
    These properties are visible when you view the list of encryption keys in the Encryption Keys pane.
    Complete the steps in this procedure to edit the name or description of an existing encryption key.
    To edit an encryption key
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    The Encryption Keys page appears.
    2 From the Configuration drop-down menu for the encryption key that you want to modify, select Edit.
    The Edit Encryption Key dialog box appears.
    3 In the Edit Encryption Key dialog box, edit the name or the description for the encryption key, and then 
    click OK.
    The dialog box closes and the changes for the selected encryption key are visible on the Encryption Keys 
    page.
    Changing an encryption key passphrase
    To maintain maximum security, you can change the passphrase for any existing encryption key. Complete the 
    steps in this procedure to change the passphrase for an encryption key.
    To change an encryption key passphrase
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    The Encryption Keys page appears.
    2 From the Configuration drop-down menu for the encryption key that you want to modify, select Change 
    Passphrase.
    The Change Passphrase dialog box appears.
    3 In the Change Passphrase dialog box, enter the new passphrase for the encryption and then re-enter the 
    passphrase to confirm what you entered.
    4Click OK.
    The dialog box closes and the passphrase is updated.
    CAUTION: After you edit the name or description an encryption key that is used to protect one or 
    more machines, AppAssure takes a new base image.That base image snapshot occurs for that machine 
    upon the next scheduled or forced snapshot.
    CAUTION: After you edit the passphrase for an encryption key that is used to protect one or more 
    machines, a new base image is taken for that machine upon the next scheduled or forced snapshot.
    CAUTION: AppAssure uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256-
    bit keys. It is recommended that you protect the passphrase you define. Store the passphrase in a 
    secure location as it is critical for data recovery. Without a passphrase, data recovery is not possible. 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B97
    Exporting an encryption key
    You can export an encryption key from any AppAssure Core with the express purpose of using it in another Core. 
    When you perform this procedure, the key is saved to the Downloads folder for the active Windows user 
    account.
    Complete the steps in this procedure to export an encryption key.
    To export an encryption key
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    2 From the Configuration drop-down menu for the encryption key that you want to export, select Export.
    The Export Key dialog box appears.
    3 In the Export Key dialog box, click Save File to save and store the encryption keys in a secure location, 
    and then click OK.
    Removing an encryption key
    When you remove an encryption key on the Configuration tab, the key is deleted from the AppAssure Core.
    You cannot remove an encryption key that is already associated with any protected machine. You must first view 
    the encryption settings for each protected machine using the key, and disassociate the encryption key you want 
    to remove. For more information, see the topic Disassociating an encryption key from a protected machine.
    Complete the steps in this procedure to remove an encryption key.
    To remove an encryption key
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    2 From the Configuration drop-down menu for the encryption key that you want to remove, select 
    Remove.
    You see a message confirming the action to remove the encryption key.
    3 In the Remove Key dialog box, confirm that you want to remove the encryption key.
    The dialog box closes and the encryption key you removed no longer appears on the Encryption Keys 
    page.
    Changing encryption key status
    Encryption keys list one of two possible status conditions on the Encryption Keys pane: Universal or Replication. 
    The status indicates the likely origin of the encryption key, and determines whether you can change its details 
    or passphrase. You can modify these attributes only if the status is Universal. If you need to modify these 
    attributes for a key with Replicated status, you must change its status to Universal using this procedure. When 
    you change the status of an encryption key to Universal, it is unlocked manually and can be used to encrypt 
    other protected machines.
    Encryption keys also have two possible states: Locked or Unlocked. The state controls your ability to apply an 
    encryption key to a protected machine, or to restore data from a recovery point with encryption. You can 
    change the status of an encryption key manually only if the state is Unlocked.
    When you first create an encryption key, its status is Universal, and its state is Unlocked. You can use such a key 
    immediately (for example, to encrypt backups for a protected machine). However, a key with Universal status 
    NOTE: Removing an encryption key does not make the data un-encrypted.
    CAUTION: You must know the passphrase to change the status from Replicated to Universal. 
    						
    							Dell AppAssure User Guide
    Version 5.4.3 Revision B98 cannot be locked manually. If you want to manually lock an encryption key with a status of Universal, you must 
    change the status to Replicated using this procedure.
    Follow this procedure to change the status of an encryption key.
    To change encryption key status
    1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security.
    Any encryption keys accessible to the Core appear in the Encryption Keys pane. Each lists a status of 
    universal or replicated.
    2 To change the status from Universal, from the Configuration drop-down menu for the encryption key that 
    you want to change, select Change the status to replicated.
    You see a message confirming the action to change the encryption key status.
    3 To change the status from Replicated, from the Configuration drop-down menu for the encryption key 
    that you want to change, select Change the status to universal.
    You see a message confirming the action to change the encryption key status.
    4 Provide the encryption key passphrase and then click OK.
    The dialog box closes and the encryption key status is updated on the Encryption Keys page. 
    						
    All Dell manuals Comments (0)