Dell Appassure 5 User Guide
Have a look at the manual Dell Appassure 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Dell AppAssure User Guide Version 5.4.3 Revision B89 Applying or removing encryption from a protected machine You can secure the data protected on your Core at any time by defining an encryption key and applying it to one or more protected machines in your repository. You can apply a single encryption key to any number of protected machines, but any protected machine can only use one encryption key at a time. The scope of deduplication in AppAssure is limited to protected machines using the same repository and encryption key. Therefore, to maximize the value of deduplication, Dell recommends applying a single encryption key to as many protected machines as is practical. However, there is no limit to the number of encryption keys you can create on the Core. Thus, if legal compliance, security rules, privacy policies, or other circumstances require it, you can add and manage any number of encryption keys. You could then apply each key to only one protected machine, or any set of machines in your repository. Any time you apply an encryption key to a protected machine, or modify the properties of an encryption key that is in use for one or more protected machines (including removing encryption), AppAssure takes a new base image for that machine upon the next scheduled or forced snapshot. The data stored in that base image (and all subsequent incremental snapshots taken while an encryption key is applied) is protected by a 256-bit advanced encryption standard. There are no known methods for compromising this method of encryption. Once an encryption key is created and applied to a protected machine, there are two concepts involved in removing that encryption. The first is to disassociate the key from the protected machine. Optionally, once the encryption key is disassociated from all protected machines, it can be deleted from the AppAssure Core. This section includes the following topics: •Associating an encryption key with a protected machine •Applying an encryption key from the Machines tab •Disassociating an encryption key from a protected machine Associating an encryption key with a protected machine You can apply an encryption key to a protected machine using either of two methods: • As part of protecting a machine. When using this method, you can apply encryption to one or multiple machines simultaneously. This method lets you add a new encryption key, or apply an existing key to the selected machine or machines. To use encryption when first defining protection for a machine, you must select the advanced options in the relevant Protect Machines Wizard. This selection adds an Encryption page to the wizard workflow. From this page, select Enable encryption, and then select an existing encryption key or specify parameters for a new key. For more information, see Protecting a machine or Protecting multiple machines, respectively. Table 43. Components of an encryption key Component Description Name This value is equivalent to the key name given when adding a key in the AppAssure Core Console. Key This parameter consists of 107 randomly generated English alphabetic, numeric, and mathematical operator characters. ID The key ID consists of 26 randomly generated upper-case and lower-case English characters. Comment The comment contains the text of the key description entered when the key was created.
Dell AppAssure User Guide Version 5.4.3 Revision B90 • By modifying the configuration settings for a machine. This method applies an encryption key to one protected machine at a time. There are two approaches for modifying configuration settings for a machine in the AppAssure UI: •Modify the Core settings in the Configuration tab for a specific protected machine. The encryption key you want to use for this approach must already exist on the AppAssure Core. For more information, see Viewing and modifying configuration settings. •Click the encryption icon on the Machines tab. Using this approach you can create and apply a new encryption key, or assign an existing key to the specified protected machine. For more information, see Applying an encryption key from the Machines tab. Applying an encryption key from the Machines tab Once an encryption key has been added to an AppAssure Core, it can be used for any number of protected machines. If you select an encryption key during the initial protection of one or more machines, that key is automatically applied to any machines you protect using that wizard. In such cases, this procedure is not required. Perform this procedure if you added an encryption key using the process described in the topic Adding an encryption key. To apply an encryption key 1 Navigate to the AppAssure Core and click Protected Machines. The Machines tab appears, listing all the machines protected by this Core. An open lock appears for any machine that does not have an encryption key applied. A closed lock indicates that a protected machine has encryption applied. 2 In the Protected Machines pane, click the lock icon for the protected machine you want to configure. The Encryption Configuration dialog box appears. 3 Do one of the following: •If you want to apply an existing encryption key to this machine, from the Select Encryption Key drop-down menu, select the appropriate key. •If you want to create a new encryption key and apply it to this protected machine, click Add New Encryption Key. Then enter the details for the key as described in the following table. CAUTION: After you apply an encryption key to a protected machine, AppAssure takes a new base image for that machine upon the next scheduled or forced snapshot. Table 44. New encryption key details Te x t B o x D e s c r i p t i o n Name Enter a name for the encryption key. Encryption key names must contain between 1 and 130 alphanumeric characters. Do not use prohibited characters or prohibited phrases. Description Enter a comment for the encryption key. This information appears in the Description field when viewing encryption keys from the Configuration tab of the AppAssure Core Console. Descriptions may contain up to 454 characters. Best practice is to avoid using prohibited characters and prohibited phrases.
Dell AppAssure User Guide Version 5.4.3 Revision B91 4Click OK. The dialog box closes. The encryption key you specified has been applied to future backups for this protected machine, and the lock now appears as closed. Optionally, if you want the encryption key applied immediately, force a snapshot. For more information, see Forcing a snapshot. Disassociating an encryption key from a protected machine Once an encryption key is applied to a protected machine, all subsequent snapshot data stored in the AppAssure Core is encrypted. You can disassociate an encryption key from a protected machine. This action does not decrypt the existing backup data, but does result in a new base image for that machine at the time of the next scheduled or forced snapshot. Perform this procedure to disassociate an encryption key from a specific protected machine. To disassociate an encryption key from a protected machine 1 Navigate to the AppAssure Core and click Protected Machines. The Machines tab appears, listing all the machines protected by this Core. An open lock appears for any machine that does not have an encryption key applied. A closed lock indicates that a protected machine has encryption applied. 2 In the Protected Machines pane, click the closed lock icon for the protected machine you want to configure. The Encryption Configuration dialog box appears. 3 From the Select Encryption Key drop-down menu, select (None) and then click OK. 4 If you want to remove this encryption key from AppAssure Core, first repeat this procedure for all protected machines using this key. Then perform the procedure described in the topic Removing an encryption key. Passphrase Enter a passphrase used to control access. Best practice is to avoid using prohibited characters. Record the passphrase in a secure location. Dell Support cannot recover a passphrase. Once you create an encryption key and apply it to one or more protected machines, you cannot recover data if you lose the passphrase. Confirm Passphrase Re-enter the passphrase. It is used to confirm the passphrase entry. CAUTION: AppAssure uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256- bit keys. While using encryption is optional, Dell recommends that you establish an encryption key, and that you protect the passphrase you define. Store the passphrase in a secure location as it is critical for data recovery. Without a passphrase, data recovery is not possible. NOTE: If you want to remove an encryption key from the Core, as described in the topic Removing an encryption key, you must first disassociate that encryption key from all protected machines. Table 44. New encryption key details Te x t B o x D e s c r i p t i o n
Dell AppAssure User Guide Version 5.4.3 Revision B92 Managing encryption keys To manage encryption keys for the AppAssure Core, from the Configuration tab, click Security. The Encryption Keys pane appears. For each encryption key added to your AppAssure Core (if any have been defined yet), you see the information described in the following table. At the top level of the Encryption Keys pane, you can add an encryption key or import a key using a file exported from another AppAssure Core. Once an encryption key exists for a Core, you can manage the existing keys by editing the name or description properties; changing the passphrase; unlocking a locked encryption key; or removing the key from the AppAssure Core. You can also export a key to a file, which can be imported into another AppAssure Core. When you add an encryption key from the Configuration tab, it appears in the list of encryption keys, but is not applied to a specific protected machine. For information on how to apply an encryption key you create from the Encryption Keys pane, or to delete a key entirely from the AppAssure Core, see Applying or removing encryption from a protected machine. Table 45. Information about each encryption key UI Element Description Name The name associated with the encryption key. Thumbprint This parameter is a 26-character alphabetic string of randomly generated English upper and lower case letters that helps uniquely identify each encryption key. Status Status describes the origin point of an encryption key and its ability to be applied. An encryption key can contain one of two possible status conditions: Universal. Universal status is the default condition when you create an encryption key. A key with a status of Universal, combined with a state of Locked, indicates that the key can be applied to a protected machine. You cannot manually lock a key with a status of Universal; instead, you must first change its status as described in the procedure Changing encryption key status. Replication. When a protected machine in a source Core has encryption enabled, and recovery points for that machine are replicated in a target Core, any encryption keys used in the source appear automatically in the target Core with a status of Replication. The default state after receiving a replicated key is locked. You can unlock an encryption key with a status of Replication by providing the passphrase. If a key has a status of Unlocked, you can manually lock it. For more information, see the topic Locking or unlocking an encryption key. State The state indicates whether an encryption key can be used. Two possible states include: Unlocked. An Unlocked state indicates that the key can be used immediately. For example, you can encrypt snapshots for a protected machine, or perform data recovery from a replicated recovery point on the target Core. Locked. A Locked state indicates that the key cannot be used until it is unlocked by providing the passphrase. Locked is the default state for a newly imported or replicated encryption key. If the state of an encryption key is Locked, it must be unlocked before it can be used. If you previously unlocked a locked encryption key, and the duration to remain unlocked has expired, the state changes from Unlocked to Locked. After the key locks automatically, you must unlock the key again in order to use it. For more information, see the topic Locking or unlocking an encryption key. Description The description is an optional field that is recommended to provide useful information about the encryption key such as its intended use or a passphrase hint.
Dell AppAssure User Guide Version 5.4.3 Revision B93 From the Encryption Keys pane, you can manage security for the backup data saved to the Core for any protected machine in your repository by doing the following: •Adding an encryption key •Importing an encryption key •Locking or unlocking an encryption key •Editing an encryption key •Changing an encryption key passphrase •Exporting an encryption key •Removing an encryption key •Changing encryption key status Adding an encryption key After an encryption key is defined, you can use it to safeguard your data. Encryption keys can be used by any number of protected machines. This step describes how to add an encryption key from the AppAssure Core Console. This process does not apply the key to any machines currently being protected on the Core. You can also add an encryption key during the process of protecting a machine. For more information on adding encryption as part of protecting one machine, see Protecting a machine. For more information on adding encryption to two or more machines while initially protecting them, see Protecting multiple machines. Complete the steps in this procedure to add an encryption key. To add an encryption key 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. The Encryption Keys page appears. 2 From the Actions drop-down menu, select Add Encryption Key. The Create Encryption Key dialog box appears. 3 In the Create Encryption Key dialog box, enter the details for the key as described in the following table. 4Click OK. The dialog box closes and the encryption key you created is visible on the Encryption Keys page. Table 46. Create encryption key details. Te x t B o x D e s c r i p t i o n Name Enter a name for the encryption key. Encryption key names must contain between 1 and 130 alphanumeric characters. Do not use prohibited characters or prohibited phrases. Description Enter a comment for the encryption key. This information appears in the Description field when viewing encryption keys from the Core Console. You can enter up to 254 characters. Best practice is to avoid using prohibited characters and prohibited phrases. Passphrase Enter a passphrase used to control access. Best practice is to avoid using prohibited characters. Record the passphrase in a secure location. Dell Support cannot recover a passphrase. Once you create an encryption key and apply it to one or more protected machines, you cannot recover data if you lose the passphrase. Confirm Passphrase Re-enter the passphrase. It is used to confirm the passphrase entry.
Dell AppAssure User Guide Version 5.4.3 Revision B94 5 If you want to apply the encryption key to a protected machine, see Applying an encryption key from the Machines tab. Importing an encryption key You can import an encryption key from another AppAssure Core and use that key to encrypt data for a protected machine in your Core. To import the key, you must be able to access it from the Core machine, either locally or through your network. Complete the steps in this procedure to import an encryption key. To import an encryption key 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. The Encryption Keys page appears. 2 From the Actions drop-down menu, select Import. The Import Key dialog box appears. 3 In the Import Key dialog box, click Browse to locate the encryption key you want to import. The key filename starts with EncryptionKey-, followed by the key ID, and ending in the file extension .key. For example, a sample encryption key name is EncryptionKey-RandomAlphabeticCharacters.key. 4 Select the key you want to import, and then click Open. 5 In the Import Key dialog box, click OK. The dialog box closes and the encryption key you imported is visible on the Encryption Keys page. If the encryption key was used to protect a volume before it was exported, the state of the key is Locked. Locking or unlocking an encryption key Encryption keys may contain a state of unlocked or locked. An unlocked encryption key can be applied to a protected machine to secure the backup data saved for that machine in the repository. From an AppAssure Core using an unlocked encryption key, you can also recover data from a recovery point. When you import an encryption key into an AppAssure Core, its default state is Locked. This is true regardless of whether you explicitly imported the key, or whether the encryption key was added to the AppAssure Core either by replicating encrypted protected machines or by importing an archive of encrypted recovery points. For encryption keys added to the AppAssure Core by replication only, when you unlock a key you can specify a duration of time (in hours, days, or months) for the encryption key to remain unlocked. Each day is based on a 24-hour period, starting from the time the unlock request is saved to the AppAssure Core. For example, if the key is unlocked at 11:24 AM on Tuesday and the duration selected is 2 days, the key automatically re-locks at 11:24 AM that Thursday. You can also lock an unlocked encryption key, ensuring that it cannot be applied to any protected machine until it is unlocked. To lock an encryption key with a state of Universal, you must first change its status to Replicated. CAUTION: AppAssure uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256- bit keys. While using encryption is optional, Dell recommends that you establish an encryption key, and that you protect the passphrase you define. Store the passphrase in a secure location as it is critical for data recovery. Without a passphrase, data recovery is not possible. NOTE: This procedure does not apply the key to any protected machines. For more information on applying the key, see Applying an encryption key from the Machines tab. CAUTION: You cannot use a locked encryption key to recover data or to apply to a protected machine. You must first provide the passphrase, thus unlocking the key.
Dell AppAssure User Guide Version 5.4.3 Revision B95 If an unlocked encryption key is currently being used to protect a machine in the Core, you must first disassociate that encryption key from the protected machine before you can lock it. Complete the steps in this procedure to unlock a locked encryption key. To unlock an encryption key 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. The Encryption Keys page appears. The State column indicates which encryption keys are locked. 2 From the Configuration drop-down menu for the encryption key that you want to unlock, select Unlock. The Unlock Key dialog box appears. 3 In the Unlock Key dialog box, in the Passphrase field, enter the passphrase to unlock this key. 4 To specify the length of time that the key remains unlocked, in the Duration option, do one of the following: •To specify that the key remains unlocked until you explicitly lock it, AppAssure select Until explicitly forgotten. This option is available for unlocking any encryption key. •To specify that the key remains locked for a duration which you configure: •Select the number field and, by typing or using the up and down arrow controls, specify an integer. •In the duration field, select hours, days, or months, respectively. •Then click OK. This option is available for encryption keys added by replication. The dialog box closes and the changes for the selected encryption key are visible on the Encryption Keys page. Complete the steps in this procedure to lock an encryption key. To lock an unlocked encryption key 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. The Encryption Keys page appears. The State column indicates which encryption keys are unlocked, and shows the status for each key. 2 If the status of the encryption key that you want to unlock is Universal, then from the Configuration drop-down menu, select Change the encryption status to Replicated. The Change Encryption Key Status dialog box appears. 3 In the Change Encryption Key Status dialog box, confirm that you want to change the status of the key to Replicated. 4 If you successfully changed the encryption key status to Replicated, then from the Configuration drop- down menu for the encryption key that you want to lock, select Lock. The Lock Key dialog box appears. 5 In the Lock Key dialog box, confirm that you want to lock the key. The dialog box closes, and the state of the selected encryption key is now locked. NOTE: This option is available for encryption keys added by replication.
Dell AppAssure User Guide Version 5.4.3 Revision B96 Editing an encryption key After an encryption key is defined, you can edit the name of the encryption key or the description of the key. These properties are visible when you view the list of encryption keys in the Encryption Keys pane. Complete the steps in this procedure to edit the name or description of an existing encryption key. To edit an encryption key 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. The Encryption Keys page appears. 2 From the Configuration drop-down menu for the encryption key that you want to modify, select Edit. The Edit Encryption Key dialog box appears. 3 In the Edit Encryption Key dialog box, edit the name or the description for the encryption key, and then click OK. The dialog box closes and the changes for the selected encryption key are visible on the Encryption Keys page. Changing an encryption key passphrase To maintain maximum security, you can change the passphrase for any existing encryption key. Complete the steps in this procedure to change the passphrase for an encryption key. To change an encryption key passphrase 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. The Encryption Keys page appears. 2 From the Configuration drop-down menu for the encryption key that you want to modify, select Change Passphrase. The Change Passphrase dialog box appears. 3 In the Change Passphrase dialog box, enter the new passphrase for the encryption and then re-enter the passphrase to confirm what you entered. 4Click OK. The dialog box closes and the passphrase is updated. CAUTION: After you edit the name or description an encryption key that is used to protect one or more machines, AppAssure takes a new base image.That base image snapshot occurs for that machine upon the next scheduled or forced snapshot. CAUTION: After you edit the passphrase for an encryption key that is used to protect one or more machines, a new base image is taken for that machine upon the next scheduled or forced snapshot. CAUTION: AppAssure uses AES 256-bit encryption in the Cipher Block Chaining (CBC) mode with 256- bit keys. It is recommended that you protect the passphrase you define. Store the passphrase in a secure location as it is critical for data recovery. Without a passphrase, data recovery is not possible.
Dell AppAssure User Guide Version 5.4.3 Revision B97 Exporting an encryption key You can export an encryption key from any AppAssure Core with the express purpose of using it in another Core. When you perform this procedure, the key is saved to the Downloads folder for the active Windows user account. Complete the steps in this procedure to export an encryption key. To export an encryption key 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. 2 From the Configuration drop-down menu for the encryption key that you want to export, select Export. The Export Key dialog box appears. 3 In the Export Key dialog box, click Save File to save and store the encryption keys in a secure location, and then click OK. Removing an encryption key When you remove an encryption key on the Configuration tab, the key is deleted from the AppAssure Core. You cannot remove an encryption key that is already associated with any protected machine. You must first view the encryption settings for each protected machine using the key, and disassociate the encryption key you want to remove. For more information, see the topic Disassociating an encryption key from a protected machine. Complete the steps in this procedure to remove an encryption key. To remove an encryption key 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. 2 From the Configuration drop-down menu for the encryption key that you want to remove, select Remove. You see a message confirming the action to remove the encryption key. 3 In the Remove Key dialog box, confirm that you want to remove the encryption key. The dialog box closes and the encryption key you removed no longer appears on the Encryption Keys page. Changing encryption key status Encryption keys list one of two possible status conditions on the Encryption Keys pane: Universal or Replication. The status indicates the likely origin of the encryption key, and determines whether you can change its details or passphrase. You can modify these attributes only if the status is Universal. If you need to modify these attributes for a key with Replicated status, you must change its status to Universal using this procedure. When you change the status of an encryption key to Universal, it is unlocked manually and can be used to encrypt other protected machines. Encryption keys also have two possible states: Locked or Unlocked. The state controls your ability to apply an encryption key to a protected machine, or to restore data from a recovery point with encryption. You can change the status of an encryption key manually only if the state is Unlocked. When you first create an encryption key, its status is Universal, and its state is Unlocked. You can use such a key immediately (for example, to encrypt backups for a protected machine). However, a key with Universal status NOTE: Removing an encryption key does not make the data un-encrypted. CAUTION: You must know the passphrase to change the status from Replicated to Universal.
Dell AppAssure User Guide Version 5.4.3 Revision B98 cannot be locked manually. If you want to manually lock an encryption key with a status of Universal, you must change the status to Replicated using this procedure. Follow this procedure to change the status of an encryption key. To change encryption key status 1 Navigate to the AppAssure Core, click the Configuration tab, and then select Security. Any encryption keys accessible to the Core appear in the Encryption Keys pane. Each lists a status of universal or replicated. 2 To change the status from Universal, from the Configuration drop-down menu for the encryption key that you want to change, select Change the status to replicated. You see a message confirming the action to change the encryption key status. 3 To change the status from Replicated, from the Configuration drop-down menu for the encryption key that you want to change, select Change the status to universal. You see a message confirming the action to change the encryption key status. 4 Provide the encryption key passphrase and then click OK. The dialog box closes and the encryption key status is updated on the Encryption Keys page.