The storeonce cli, Licensing, Security features – HP StoreOnce Backup User Manual
Page 12: The storeonce cli licensing security features, Data at rest encryption, Data in flight encryption
The StoreOnce CLI
The StoreOnce Command Line Interface (CLI) provides an alternative way of administering and
monitoring the system. Some tasks are only accessible from the StoreOnce CLI.
StoreOnce CLI commands require an SSH client application (freely available from the internet) and
must be run from a SSH terminal session as described in
.
See the HP StoreOnce Backup system CLI Reference Guide for more information about the StoreOnce
CLI commands.
Licensing
HP StoreOnce VSA has a single license that enables StoreOnce Catalyst and Replication. The
license also includes the security features of Data at Rest Encryption, Data in Flight Encryption, and
Secure Erase.
Security Features
The security features of Data at Rest Encryption, Data in Flight Encryption, and Secure Erase are
part of the VSA license.
NOTE:
StoreOnce replication can be encrypted at the Network layer. This feature is included in
the Security license. See the HP StoreOnce Backup system CLI Reference Guide for more details;
review the networking configuration commands such as net add encryption.
Data at Rest Encryption
When enabled, the Data at Rest Encryption security feature protects data at rest on a stolen,
discarded, or replaced disk from forensic attack.
Creation of a new VTL library, Catalyst store, or NAS share provides the option to enable encryption
if the license was already applied. Once enabled, encryption will automatically be performed on
the data before it is written to disk. Encryption cannot be disabled once it is configured for a library,
Catalyst store, or NAS share.
When creating an encrypted library, Catalyst store, or NAS share, the key store is updated with
the encryption key. This key store may be backed up and saved securely offsite in case the original
key store is corrupted. However, keep only the latest version of the key store as a backup. The key
store on the StoreOnce Backup system is updated each time you create a library, Catalyst store,
or NAS share. The StoreOnce CLI command that backs up the key store also encrypts it, ensuring
it can only be decrypted by the HP StoreOnce backup system.
NOTE:
Each configured library, Catalyst store, or NAS share uses a different key. The StoreOnce
software automatically tracks which key is relevant to which device in the Key Store File. Keys are
automatically re-applied to the correct device if the key store file is restored.
IMPORTANT:
Be very diligent about backing up your keystore if you are creating encrypted
stores or libraries. See the HP StoreOnce Backup system CLI Reference Guide for more information
about the StoreOnce CLI commands for backing up and restoring key stores.
Data in Flight Encryption
When enabled, the Data in Flight Encryption security feature protects data that is in transit from
forensic attack using the IPsec protocol. The data can be moving between two StoreOnce Backup
appliances or a StoreOnce Backup appliance and a backup server.
Data in Flight Encryption is configured using the net [add/modify/delete] encryption
commands in the CLI; see the HP StoreOnce Backup system CLI Reference Guide for more
information.
12
Getting started