Solved

Enabling encryption on dedupe storage - creates a new set dedupe data?

  • 9 October 2021
  • 9 replies
  • 587 views

Userlevel 1
Badge +4

 

This assumption correct?  - If you  to start CV encrypting data sent dedupe storage my guess would be that it a completely new set of dedupe data? 

Once encryption is turned on, the dedupe engine will see it as new data rather than encryption version of the old. While the unencrypted and encrypted data from the same servers remains in the same dedupe storage, storage usage could higher than usual.

icon

Best answer by Prasad Nara 10 October 2021, 13:56

View original

9 replies

Userlevel 1
Badge +4

Realized it always going to be different, while stored is to be a completely different data because of encryption.

Userlevel 4
Badge +6

@JM- Dedupe always happens before encrypting on the plain data. Enabling or disabling doesn’t affect dedupe. 

Badge +2

If I have a DDB with data in it, and I activate encryption now. What happens to existing data blocks already written to the dedup store?

Let’s say I have a document XY and it’s already backed up to the DDB without encryption.

If I activate encryption now and run another backup, from my point of view, as the blocks for this document already exist it will not write them encrypted to the dedup store.

Or will the DDB, now with active encryption, check if the existing block is encrypted or not and write it again with encryption?

Userlevel 7
Badge +16

Block already written without encryption will stay that way, only new data since enabling encryption will be encrypted. As Prasad mentioned before, encyption has no reflection on the DDB process as encryption is performed afterwards. Existing data which is not encrypted will still be referenced in the deduplication process.

Badge +2

Block already written without encryption will stay that way, only new data since enabling encryption will be encrypted. As Prasad mentioned before, encyption has no reflection on the DDB process as encryption is performed afterwards. Existing data which is not encrypted will still be referenced in the deduplication process.

Thank you Jos.

Badge

 [...] Existing data which is not encrypted will still be referenced in the deduplication process.

So how can an existing non encrypted dedup storage be converted/migrated to full encryption?

Userlevel 7
Badge +16

Hi @Armin Andres

A conversion is not possible as far as I know.
You could migrate towards a full encryption by either:

  • Seal the DDB and perform all backups encrypted under the new DDB.
    Drawbacks are that you will need to wait untill al data under the sealed DDB is aged to ensure all non encrypted data is gone AND you will create a new baseline for your backup which will result in a higher storage usage.
  • Create a new storage pool (library + ddb) and configure this as encrypted, create a new secondary copy based on this new storage pool, then aux the data to this new copy. When finished promote this new copy as the primary copy. But again, you will create a new baseline for your backup which will result in a higher storage usage.

In theory you could encrypt the drive on OS level, but this creates a dependency on your OS and will impact performance. Not sure also how this would work out regarding Windows FS encryption being combined with Commvault Data encryption. I would not recommend this.

Userlevel 6
Badge +17

 [...] Existing data which is not encrypted will still be referenced in the deduplication process.

So how can an existing non encrypted dedup storage be converted/migrated to full encryption?


If you need existing jobs to be encrypted, you will need to setup a new SP Copy with encryption enabled, aux copy everything, promote the new Copy and decom the old Copy.  As everything is aux copied it will get encryption applied to the new unique blocks.

Thanks,
Scott

Badge

Thanks for your answers!

  • I doubt that sealing the DDB helps. In a test the dedup factor of a new full back was too good to be true for a 1st full backup.
  • I don’t need to encrypt existing backups, but I want new backups to be (fully) encrypted.
  • I can ‘afford’ to create new libraries and DDBs on many of my systems. Having only 30 days retention, I can delete the old libraries and DDBs after a month.
  • On some of my systems I do not have enough space for a new baseline. I need some creative ideas for a migration path from unencrypted to fully encrypted.

Creative ideas are very welcome.

 

Thanks

Armin

Reply