Home > APEX > Cyber & Data Protection > White Papers > Dell APEX Cyber Recovery Services – Security Guide > Data security in transit
PowerProtect DD series encryption software enables customers to enhance the security of the data that resides on PowerProtect DD series appliances using industry-standard encryption algorithms. PowerProtect DD series encryption software protects backup and archive data stored on PowerProtect DD series appliances with data encryption that is performed inline before the data is written to disk.
It is the customer’s responsibility and decision to encrypt or not to encrypt the data in-flight to and from the vault. Data encryption is designed to protect customer data if the protection system is stolen or if the physical storage media is lost during transit. It also eliminates accidental exposure of a failed drive if it is replaced. When data enters the protection system using any of the supported protocols (NFS, CIFS, DDVTL, DD Boost, and NDMP tape server), the stream is segmented, fingerprinted, and deduplicated (global compression). Then, the data is grouped into multisegmented compression regions, locally compressed, and encrypted before being stored to disk. When data encryption is enabled, the PowerProtect DD Encryption feature encrypts all data entering the appliance.
Customers should consider implementing PowerProtect DD series encryption for highly classified and sensitive data. Encryption of data in-flight encrypts data that is being transferred using DD Replicator between two PowerProtect DD series appliances. It uses AES 256-bit encryption to encapsulate the replicated data over the wire. The encryption-encapsulation layer is immediately removed when it transfers to the destination system. Data within the payload can also be encrypted using PowerProtect DD Encryption.
PowerProtect DD Replicator provides automated, policy-based, network-efficient replication for disaster recovery, remote-office data protection, and multisite tape consolidation. DD Replicator software asynchronously replicates only the compressed, deduplicated data over the WAN or LAN during the backup process, making network-based replication fast, reliable, and cost-effective. PowerProtect DD Replicator can securely encapsulate its replication payload over SSL with AES 256-bit encryption. This ability enables secure transmission over the wire, a process also known as encrypting data in flight.
Encryption of data in-flight over NFS, NFSv3, and NFSv4 support Kerberos v5 protocol with integrity checking using checksums (krb5i) and with privacy service (krb5p) for integrity and privacy, respectively. However, there are performance penalties for encryption.