Home > Data Protection > PowerProtect DD Series Appliances > White Papers > PowerProtect DD Series Appliances: Encryption Software > DD Encryption and Cloud Tier
DD Encryption can be enabled at three levels: system, active tier, and cloud unit. Encryption of the active tier is only applicable if encryption is enabled for the system. Cloud units have separate controls for enabling encryption. Follow these steps to enable DD encryption for cloud units:
Note: If no encryption license is present on the system, the Add Licenses page is displayed.
Note: You are prompted to enter security officer credentials to enable encryption.
Note: Cloud encryption is allowed only through the Embedded Key Manager. External key managers are not supported.
If encryption is enabled for the cloud tier, any data written to the cloud or buckets is encrypted using the Embedded Key Manager (eKM) keys. The data is encrypted on the DD series appliance before it is written to the cloud. There is no end-to-end encryption, but data is always encrypted throughout the data movement.
If the encryption is disabled on the cloud tier, data is decrypted on the DD series appliance before it is sent over a TLS connection to the cloud. If the encryption is enabled on the cloud-provider side (for example, using ECS native encryption), the data is encrypted when it reaches that end point. Similarly, the data is decrypted at the endpoint and is transmitted over TLS when it is recalled or read from the DD series appliance.
Note: When using an embedded key manager, only the newly ingested data is encrypted. For example, encryption occurs for data that is ingested after embedded encryption is enabled, unless you run the Apply changes command. This command converts or encrypts all the existing unencrypted data.