commvault.com commvault.com
Question

How to perform restores from the Snowball device which comes with default AWS encryption

  • 3 October 2023
  • 9 replies
  • 198 views
A
Rank
Badge +2

We are running a POC for seeding an AWS S3 bucket which will act as DASH target. For the seeding of data, we are using the AWS Snowball device. We have two goals in POC,

  1. Seed the OnPrem backup data to AWS S3 using Snowball device and ship it to AWS. Once seeded to S3 bucket, test restores from S3 and also validate the next DASH job to S3 only transfers unique data after deduping.
  2. Copy the DASH data from S3 to Snowball Device, ship the device to On-Prem. Perform restores from the Snowball device.

We have successfully completed the first part of the POC and need to initiate the second phase. But before shipping the snowball device to AWS, we ran a data verification job on the Snowball to confirm all the seeded DASH jobs are in readable state. The job failed since Commvault was unable to read any data from the Snowball device, and we were getting read errors. We opened case with CV Support, and after confirming there was no issue with Commvault, we engaged the AWS Support. They mentioned that the data on the snowball device is encrypted by default and Commvault is not decrypting the data before attempting to read.

 

Below are the logging errors found in ScalableDDBVerf.log.

 

Now my question is how we can ensure that Commvault can decrypt the data first on the snowball before it attempts to read the data for data verification or restore. We already enabled the Commvault encryption on the Global DDB policy and the device is also encrypting the data using its own default encryption which we cannot disable. Is there a way to provide the AWS decryption key to Commvault so it can read the data from the device. I found the below additional setting but was not sure if I could use this for a Snowball device.

Enabling Server-Side Encryption with Amazon S3-Managed Keys (SSe-S3) (commvault.com)

 

This is not only an issue with POC, but also in future if we ever want to restore a large or entire set of data from S3 DASH copy. We would like to use the snowball for restores instead of restoring over the WAN which has low restore speeds. 

9 replies

C
Rank
Userlevel 5
Badge +14

Hello @Aravind 

Can I ask why you want to “reverse” seed the data from S3 to on-prem?

As far as I know (and after checking our documentation) we have no documented way of doing this reverse-seed you are outlining in your 2nd point. I assume the Snowball device encrypts the data so that if anything happened to the device, a malicious person could not retrieve your data.

Regarding the Server-Side encryption you linked, this only applies to S3 buckets, not S3 Snowball devices. Commvault software encryption will encrypt the data and you can use either Commvault or a 3rd party KMS to manage the keys. Hardware encryption is only supported for Tape storage.

With the Snowball device, the purpose is to copy data to it and ship it to AWS who put the data into your bucket. To my knowledge it was not designed to reverse-seed data as you wish to do.

Even if AWS could give us access to the encryption keys so we could read from the Snowball, it doesn’t appear that would even be Supported from our perspective.
 

Thank you,

Collin

A
Rank
Badge +2

Hello @Collin Harper

 

Yes, customer wants to avoid running the restores over WAN which is slower. So, they want to test this method? 

 

Thanks,

Aravind 

 

 

C
Rank
Userlevel 5
Badge +14

Hello @Aravind 

Unfortunately this is not supported. The Snowball device is only for seeding data to AWS, not reverse seeding it from AWS to onsite.

 

Thank you,

Collin

Mathew Ericson
Rank
Userlevel 4
Badge +6

Hello @Aravind 

Unfortunately this is not supported. The Snowball device is only for seeding data to AWS, not reverse seeding it from AWS to onsite.

 

Thank you,

Collin

Hi @Aravind 

It is definitely possible to seed an on-premises Cloud library using the same process that we use to see a Cloud library from on on-prem library - just in reverse.

The process is simply the reverse of the process detailed here:
https://documentation.commvault.com/2023e/expert/9274_seeding_cloud_storage_library.html

In fact, because the Snowball talks S3, you can setup the Snowball as a Cloud library and perform selective copies of just the data you need from your Region-based library.

https://documentation.commvault.com/2023e/expert/11490_additional_copies_of_backup_data.html
 

Hit me up at twitter.com/mericsonAU
A
Rank
Badge +2

Hi @Mathew Ericson

Please clarify, did you meant we need an On-Prem S3 for this use case? Or did you mean we can use the Snowball device itself for performing restores?

If its later then we were not able to restore from Snowball, since AWS has encrypted the data on device with their own keys. When Commvault attempts to read the data, we are getting the error I shared on the initial post. 

 

Thanks,

Aravind

Mathew Ericson
Rank
Userlevel 4
Badge +6

Aravind,

 

I’ve spoken to Amazon and there should be no problem reading the data written to the Snowball device.

 

our customer support teams are reviewing your case now along with Commvault development and will be reaching out to you to discuss further

Hit me up at twitter.com/mericsonAU
A
Rank
Badge +2

Thanks for the update. I’ll wait for Support/Dev update.

A
Rank
Badge +2

Hello @Mathew Ericson

 

We attempted to perform the restores from the Snowball device today. We are still facing the same issue, Commvault is not able to read the data. It’s the same error as before. Customer has opened the case 231117-467, please help us with resolving the issue. 

Mathew Ericson
Rank
Userlevel 4
Badge +6

I have spoken directly with our development team and they have requested that you ask for your customer support ticket to be ‘escalated’.

 

once escalated, the development team will review the errors you are receiving and identify the root cause/fix.

Hit me up at twitter.com/mericsonAU

Reply


Terms & ConditionsCookie settings