Data at rest encryption, Data in flight encryption, Secure erase – HP StoreOnce Backup User Manual

Data at Rest Encryption

When enabled, the Data at Rest Encryption security feature protects data at rest on a stolen,
discarded, or replaced disk from forensic attack.

Creation of a new VTL library, Catalyst store, or NAS share provides the option to enable encryption
if the security features license was already applied. Once enabled, encryption will automatically
be performed on the data before it is written to disk. Encryption cannot be disabled once it is
configured for a library, Catalyst store, or NAS share.

When creating an encrypted library, Catalyst store, or NAS share, the key store is updated with
the encryption key. This key store may be backed up and saved securely offsite in case the original
key store is corrupted. However, keep only the latest version of the key store as a backup. The key
store on the StoreOnce Backup system is updated each time you create a library, Catalyst store,
or NAS share. The StoreOnce CLI command that backs up the key store also encrypts it, ensuring
it can only be decrypted by the HP StoreOnce backup system.

NOTE:

Each configured library, Catalyst store, or NAS share uses a different key. The StoreOnce

software automatically tracks which key is relevant to which device in the Key Store File. Keys are
automatically re-applied to the correct device if the key store file is restored.

IMPORTANT:

Be very diligent about backing up your keystore if you are creating encrypted

stores or libraries. See the HP StoreOnce Backup system CLI Reference Guide for more information
about the StoreOnce CLI commands for backing up and restoring key stores.

Every time that you expand storage by adding a couplet, you must restore your key store. Installing
the additional couplet is an HP Support task, but you are responsible for ensuring that a Security
license is installed for the new couplet and for saving the existing key store.

NOTE:

The encryption feature is licensed per couplet. If you have multiple couplets in the

StoreOnce Backup system cluster, obtain and apply a Security license for each couplet in the
cluster. When mapping replication to target devices on a different StoreOnce Backup system, HP
recommends that encryption is licensed and enabled on both the source and the target couplet or
appliance.

Data in Flight Encryption

When enabled, the Data in Flight Encryption security feature protects data that is in transit from
forensic attack using the IPsec protocol. The data can be moving between two StoreOnce Backup
appliances or a StoreOnce Backup appliance and a backup server.

Data in Flight Encryption is configured using the net [add/modify/delete] encryption
commands in the CLI; see the HP StoreOnce Backup system CLI Reference Guide for more
information.

Secure Erase

Secure Erase can be enabled for all store types. This feature enables allows secure erasure of data
that was backed up as part of a regular backup job. The Secure Erase feature can only be enabled
after store or library creation (edit the store or library to enable Secure Erase). All data written to
disk once Secure Erase is enabled will be securely erased upon data deletion. For example, you
may have unintentionally backed up confidential data and need to be sure that it has been securely
erased. Work with the backup application to trigger the Secure Erase, for example by forcing the
format of a cartridge. The backup application sends the request to delete the data and the deletion
is carried out as part of the Housekeeping function.

WARNING!

To immediately remove data, ensure the backup application is configured correctly.

Rotation and retention policies may need to be revisited to ensure that the data is expired.

Security Features

15