Administrator Guide
13
Configuring and Using Encryption at Rest
This chapter introduces the concept of Encryption at Rest as used by the DR Series system as well as related concepts
and tasks.
Refer to the subsequent topics for more information.
Understanding Encryption at Rest
Data that resides in the DR Series system can be encrypted. When encryption is enabled, the DR Series system uses the
Industry standard FIPS 140-2 compliant 256-bit Advanced Encryption Standard (AES) encryption algorithm for encrypting
and decrypting user data. The content encryption key is managed by the key manager, which operates in either a Static
mode or an Internal mode. In Static mode, a global, fixed key is used to encrypt all data. In internal mode, key lifecycle
management is performed in which the keys are periodically rotated. The minimum key rotation period before the
content encryption key can be rotated and a new key is generated is 7 days. This rotation period is user-configurable
and can be specified in days. A user-defined passphrase is used to generate a pass phrase key, which is used to
encrypt the content encryption keys. It is mandatory to define a passphrase to enable encryption. The system supports
up to a limit of 1023 different content encryption keys. All streams of a data-store are encrypted or re-encrypted with the
same content encryption key. DR Series system statistics report the amount of data encrypted and decrypted bytes
consistently.
Encryption at Rest Terminology
This topic introduces and briefly defines some basic encryption at rest terminology used in the DR Series system
documentation.
Term Description
Passphrase A passphrase is a sequence of words or other text used to control
access to data, similar to a password in usage, but is generally longer
for added security. In the DR Series system, the passphrase is user-
defined and is used to generate a passphrase key that encrypts the file
in which the content encryption keys are kept. The passphrase is a
human readable key, which can be up to 256 bytes in length. It is
mandatory to define a passphrase to enable encryption.
Content encryption key The key used to encrypt the data. The content encryption key is
managed by the key manager, which operates in either a static mode or
an internal mode. The system supports up to a limit of 1023 different
content encryption keys.
Key management mode The mode of key lifecycle management as either static or internal.
Static mode A global mode of key management in which a fixed key is used to
encrypt all data.
Internal mode A mode of key lifecycle management in which the keys are periodically
generated and rotated. The minimum key rotation period before the
content encryption key can be rotated and a new key is generated is 7
145