Handling backup and restore for securing data-at-rest
In this case, users must encrypt the backup file on their own. While it is not necessary to specify the key when restoring a backup, its inclusion could present a security risk.
When secure data-at-rest is enabled, for security reasons the AEK is not stored in the backup. The current AEK of the system is used to restore a backup. If, however, the system AEK has changed since the backup was taken, or if the Composer has been factory reset before the restore or if the target composer is a different one, the copy of the AEK in effect when the backup was taken must be specified to restore the backup.
A restore operation restores the secure data-at-rest option to the state at the time of backup. This means that after a backup is restored on the appliance, it can automatically switch to a lesser or higher secure mode depending on whether secure data-at-rest was disabled or enabled at the time of backup creation.
An administrator can generate a new AEK (for example, when a saved copy is compromised). Therefore the AEK in effect at the time of backup may not be the current key.
Ensure that you take a backup before regenerating the AEK to recover from possible errors encountered during the key generation process.
Scenario | Action |
---|---|
A secure data-at-rest enabled backup is restored when secure data-at-rest is enabled. The current AEK matches the backup-time key. |
No action required. |
A secure data-at-rest enabled backup is restored when secure data-at-rest is enabled. The current AEK does not match the backup-time key. |
In response to the GUI or maintenance console prompt for the AEK of the backup, supply your saved copy of the key. |
A secure data-at-rest disabled backup is restored. |
The system is restored to the secure data-at-rest disabled state. |
A secure data-at-rest enabled backup is restored on a different, but compatible, appliance (which has a different AEK). |
In response to the GUI or maintenance console prompt for the AEK of the backup, supply your saved copy of the key. |