Data encryption protects user data if the protection system is stolen or if the physical storage media is lost during transit. It also eliminates accidental exposure of a failed drive if it is replaced. When data enters the protection system using any of the supported protocols (NFS, CIFS, DDVTL, DD Boost, and NDMP tape server), the stream is segmented, fingerprinted, and deduplicated (global compression). It is then grouped into multi-segment compression regions, locally compressed, and encrypted before being stored to disk. Once data encryption is enabled, the DD Encryption feature encrypts all data entering the appliance.
Figure 1. DD series encryption software overview
DD series encryption software provides the following benefits:
- Encrypt all data stored on a DD series deduplication storage system
- Protect data from theft or loss of the system, disk shelves, disks, or factory returned disks
- Easily implement encryption to satisfy internal governance rules and compliance regulations
- Meet compliance needs using industry-standard AES-128 or AES-256 encryption algorithms
- Use RSA BSAFE FIPS 140-2 compliant cryptographic libraries
- Real-time, immediate data encryption with compression
- Stream-Informed Segment Layout (SISL) architecture used for optimized encryption
- Software-based approach requires no extra hardware
- Key management and data integrity:
- Robust protection against accidental key loss
- Passphrase protection of encryption keys
- Data Invulnerability Architecture (DIA) with dual-disk parity RAID 6
- Supports leading backup and archive applications
- Supports leading enterprise applications for database and virtual environments
- Allows simultaneous use of VTL, NAS, NDMP, and DD Boost