VAST Encryption use

  • 11 August 2022
  • 3 replies

Userlevel 4
Badge +12

Good day all


I just want to get some thoughts for those who use a storage target which has it’s own option for encryption.
I’m setting up a new environment which will use VAST storage as a backup target. I will be enabling encryption and ransomware protection on the Commvault side.


Would it be recommended to also enable encryption on the storage level using VAST’s encryption?

Logically it wouldn’t make sense to encrypt encrypted data, but I want to check if anyone has any thoughts on this?





Best answer by Onno van den Berg 25 August 2022, 14:21

View original

3 replies

Userlevel 7
Badge +19

@Mauro I really depends I would say. Just like you mentioned already logically it doesn't make logically sense to encrypt the data twice, however it might be that your company has specific requirements in place to have arrays based encryption turned on, especially in case the array is used for multiple workloads. In addition it also can safe you money because in case of such a company-wide requirement have to put in place a so called non-returnable disk contract can be very expensive which is normally mitigated by enabling array-based encryption.

I would also suggest to consult the vendor and raise the question how much overhead you can expect, especially when you want to recover/read data. In case it is negligible than I would just leave it enabled for sure. 

The great thing about enabling it on the Commvault side is that you really know that all the traffic from the client all the way back to the storage is fully protected through encryption because both the tunnels and the data that flows over it is encrypted. 

Userlevel 4
Badge +12

Hi all

I managed to get some feedback on the best way to do this. It’s a bit of a hybrid solution which I’ll be testing.

The caveat with VAST is that you need to enable Encryption during the setup of it. It cannot be changed afterwards, unless you format everything and start again. So, obviously, it’s critical to get this right up front.

VAST recommends that Commvault Encryption is disabled. What I want to test is what happens when I enable Network encryption in Commvault only. That will give that layer of protection and then the VAST will handle the storage portion.
The CPU overhead on Commvault is much less using the VAST encryption only.

Regarding deduplication and compression they do recommend that it’s turned off on Commvault and let the VAST handle this.
However, Commvault does offer the option to deduplicate at source. 
Their field experience does show better data reduction using VAST.

However, we can test using both in tandem. There s another caveat.
Commvault uses the default 128k block size on the storage, while VAST recommends 512k or 1024k blocks. So this is also something that once configured may remain ‘as-is’. I’ll need to test this at implementation too.

I hope this helps a little.



Userlevel 7
Badge +19

Mmmm I honestly would not disable deduplication on Commvault side because of the benefit that it relieves the entire network path from having to process big piles of data. With Commvault deduplication turned off you will rely entirely on the CPU power of the storage box for deduplication processing and you are pulling all the data over the wire. Do mind this will influence your RTO and RPO because of bottlenecks in networking or for example a limit in MA resources. You might end up having an array with high CPU load which impact performance while you still have enough storage capacity left. 

Sure the guys from VAST will tell you their "technology” is better ;-) I would raise the same questions to your Commvault contact persons ;-)