Consider a NAS backup job with the following three targets:
Primary repository: Veeam SOBR with several DAS (direct-attached-storage) boxes
Secondary repository: DataDomain with DDboost integration (setup with meta-repos and several gateways to maximize performance)
This configuration was running already for a few years without issues.
Now an archive repository on S3 with a large hyperscaler shall be introduced. Here we need to force encryption of course.
How can this be achieved, without also encrypting backup data driven to the DataDomain?
To my understanding it is not possible with VBR as encryption for NAS backups can only be enabled on the job level.
This is in contrast to the capacity tier of a SOBR where you can have S3 data be encrypted while leaving the performance tier unencrypted.
At this time you are correct; while there are granular encryption controls for the Secondary Repository, this only allows you to have a different encryption key used, else if the primary job has encryption, the secondary will inherit it along with the archive.
No immediately workaround comes to mind, but I will discuss the matter internally and report back.
David Domask | Product Management: Principal Analyst
Thanks for the fast and precise reply.
If I could enable encrytion just for secondary while having none with primary - wouldn't then just swapping the roles of secondary and archive solve the problem?
- Primary: SOBR/DAS - no encrytion
- Secondary: S3 - with encryption and e.g. custom retention
- Archive: DataDomain with Archive-Recent-Files enabled to have also the most recent file being backed up here
Important point is to have it unencrypted on the DataDomain. Otherwise de-dupe would be impossible.
Your workaround in-fact will work and sorry I just wasn't thinking to suggest it even, cannot tell why (not enough coffee I guess)
I think your solution here will work indeed, and if you're in a position to reconfigure the jobs that way, then sounds like we have an answer.
Discussed the matter internally, and the situation definitely warrants further review. Nothing concrete to tell at this time, but your situation is not uncommon so makes sense to check how we can make this easier for everyone.
David Domask | Product Management: Principal Analyst
Thanks a lot for your reply.
Final question comes to my mind - can we remap the already produced backups on the DataDomain from "secondary" to "archive" in the NAS jobs? Otherwise we would have to produce them anew.
Thanks, David. Currently nothing is encrypted. Neither "Primary" nor "Secondary".
First step would be to move the DataDomain from "Secondary" to "Archive".
Question is: can I disable "Secondary" and enable "Archive" with "Archive recent files" option and now just "map" the backup to prevent an active-full.
So does "map" also work while changing the tier? I'd assumed the structure in "Archive" to be slightly different.
If possible, I would afterwards configure "Secondary" to produce an encrypted offload to S3 - as an active full of course.
Regrettably, the structure here is a little different so remapping won't be feasible here. So I'm afraid that you'll likely need to plan a changeover date and prepare for a full backup at that time after making the changes.
I do agree it's a bit much, hence as noted before discussing internally how to make this a bit friendlier moving forward, but nothing to share on any specifics at this time.
David Domask | Product Management: Principal Analyst
Thanks a lot for clarifying, David.
I expected that from my understanding of the archive tier here.
Would be great to have encryption available for all tiers (individually) in the future.
For the time being we brace for an active full to the DataDomain once switched to the archive tier and will have to let the historical DD data rest as orphaned backup for a while.
Thanks, Michael
(not enough coffee I guess)