Skip to main content
Solved

Enabling encryption on dedupe storage - creates a new set dedupe data?


Forum|alt.badge.img+4
  • Byte
  • 12 replies

 

This assumption correct?  - If you  to start CV encrypting data sent dedupe storage my guess would be that it a completely new set of dedupe data? 

Once encryption is turned on, the dedupe engine will see it as new data rather than encryption version of the old. While the unencrypted and encrypted data from the same servers remains in the same dedupe storage, storage usage could higher than usual.

Best answer by Prasad Nara

@JM- Dedupe always happens before encrypting on the plain data. Enabling or disabling doesn’t affect dedupe. 

View original
Did this answer your question?

9 replies

Forum|alt.badge.img+4
  • Author
  • Byte
  • 12 replies
  • October 10, 2021

Realized it always going to be different, while stored is to be a completely different data because of encryption.


Forum|alt.badge.img+6
  • Vaulter
  • 47 replies
  • Answer
  • October 10, 2021

@JM- Dedupe always happens before encrypting on the plain data. Enabling or disabling doesn’t affect dedupe. 


Forum|alt.badge.img+4
  • Byte
  • 9 replies
  • February 6, 2023

If I have a DDB with data in it, and I activate encryption now. What happens to existing data blocks already written to the dedup store?

Let’s say I have a document XY and it’s already backed up to the DDB without encryption.

If I activate encryption now and run another backup, from my point of view, as the blocks for this document already exist it will not write them encrypted to the dedup store.

Or will the DDB, now with active encryption, check if the existing block is encrypted or not and write it again with encryption?


Jos Meijer
Commvault Certified Expert
Forum|alt.badge.img+17
  • Commvault Certified Expert
  • 638 replies
  • February 6, 2023

Block already written without encryption will stay that way, only new data since enabling encryption will be encrypted. As Prasad mentioned before, encyption has no reflection on the DDB process as encryption is performed afterwards. Existing data which is not encrypted will still be referenced in the deduplication process.


Forum|alt.badge.img+4
  • Byte
  • 9 replies
  • February 6, 2023
Jos Meijer wrote:

Block already written without encryption will stay that way, only new data since enabling encryption will be encrypted. As Prasad mentioned before, encyption has no reflection on the DDB process as encryption is performed afterwards. Existing data which is not encrypted will still be referenced in the deduplication process.

Thank you Jos.


Forum|alt.badge.img
Jos Meijer wrote:

 [...] Existing data which is not encrypted will still be referenced in the deduplication process.

So how can an existing non encrypted dedup storage be converted/migrated to full encryption?


Jos Meijer
Commvault Certified Expert
Forum|alt.badge.img+17
  • Commvault Certified Expert
  • 638 replies
  • February 6, 2023

Hi @Armin Andres

A conversion is not possible as far as I know.
You could migrate towards a full encryption by either:

  • Seal the DDB and perform all backups encrypted under the new DDB.
    Drawbacks are that you will need to wait untill al data under the sealed DDB is aged to ensure all non encrypted data is gone AND you will create a new baseline for your backup which will result in a higher storage usage.
  • Create a new storage pool (library + ddb) and configure this as encrypted, create a new secondary copy based on this new storage pool, then aux the data to this new copy. When finished promote this new copy as the primary copy. But again, you will create a new baseline for your backup which will result in a higher storage usage.

In theory you could encrypt the drive on OS level, but this creates a dependency on your OS and will impact performance. Not sure also how this would work out regarding Windows FS encryption being combined with Commvault Data encryption. I would not recommend this.


Scott Moseman
Vaulter
Forum|alt.badge.img+18
Armin Andres wrote:
Jos Meijer wrote:

 [...] Existing data which is not encrypted will still be referenced in the deduplication process.

So how can an existing non encrypted dedup storage be converted/migrated to full encryption?


If you need existing jobs to be encrypted, you will need to setup a new SP Copy with encryption enabled, aux copy everything, promote the new Copy and decom the old Copy.  As everything is aux copied it will get encryption applied to the new unique blocks.

Thanks,
Scott


Forum|alt.badge.img

Thanks for your answers!

  • I doubt that sealing the DDB helps. In a test the dedup factor of a new full back was too good to be true for a 1st full backup.
  • I don’t need to encrypt existing backups, but I want new backups to be (fully) encrypted.
  • I can ‘afford’ to create new libraries and DDBs on many of my systems. Having only 30 days retention, I can delete the old libraries and DDBs after a month.
  • On some of my systems I do not have enough space for a new baseline. I need some creative ideas for a migration path from unencrypted to fully encrypted.

Creative ideas are very welcome.

 

Thanks

Armin


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings