Highly Reliable Systems: Removable Disk Backup & Recovery


Monthly Archives: April 2014

May Newsletter

April 29th, 2014 by

Highly Reliable Systems May Newsletter. New- BNAS Mini Now Available! Plus 4 things You Have To Know About Encryption.

Posted in News

Hardware Encryption on a Backup NAS Device

April 2nd, 2014 by

encrypt3Highly Reliable Systems now offers hardware encryption on select backup NAS devices. High-Rely supports AES encryption on many of our highly-removable drive backup appliances, allowing media to be safely transported. This article will discuss the encryption feature as supported on certain Netswap Plus and RAIDFrame Plus product lines (Not the BNAS or WBA Windows Storage Server based Appliances which have an encryption not discussed here).

Encryption on capable NetSwap and RAIDFrame server backup devices is used to protect data at rest, as well as when replicating offsite. This article is specifically referencing encryption of the hard drives themselves. Whether or not the backup software supports encryption, the NAS device and software can now protect data, which means many High-Rely backup devices now meet HIPAA and other regulatory compliance challenges.

The protection can be achieved by encrypting an entire disk or one individule file container, although we anticipate that the entire disk will be the usual option. The algorythm used is symmeteric key AES and the resulting volume is TrueCrypt compatible, which allows it to be mounted in a Windows or other machine with a free copy of TrueCrypt, or used as Amazon S3 compatible seed drives. TrueCrypt is an open-source disk encryption application. and is the only device encryption supported by Amazon Web Services for Import/Export. All seed drives returned by Amazon S3 to the customer will be encrypted in this way, so having this compatibility is crucial for High-Rely’s unique SpeedSeed feature.

Encryption is configured under the “Disks” menu, typically when setting up and formatting your removable disks. The encryption engine supports parallelized encryption for multi-core systems to reduce the performance hit of encryption and decryption. On newer processors supporting the AES-NI instruction set, it supports hardware-accelerated AES to further improve performance, which is what is meant when we say High-Rely offers hardware support for encryption. TrueCrypt has at least one distinct advantage over Microsoft’s Bitlocker:  Having support for multiple operating systems.  Since the volumes are independent of the operating system, you will be able to mount your volume on any computer on which you can run TrueCrypt.  These include:

  • Windows 10 (32-bit and 64-bit)
  • Windows 8/8.1 (32-bit and 64-bit)
  • Windows 7  (32-bit and 64-bit)
  • Windows Vista  (32-bit and 64-bit)
  • Windows XP  (32-bit and 64-bit)
  • Windows Server 2019 (64-bit)
  • Windows Server 2016 (64-bit)
  • Windows Server 2012/2012 R2 (64-bit)
  • Windows Server 2008 R2  (64-bit)
  • Windows Server 2008  (32-bit and 64-bit)
  • Windows Server 2003  (32-bit and 64-bit)
  • Windows 2000 SP4
    Mac OS X 10.8 Mountain Lion  (32-bit and 64-bit)
  • Mac OS X 10.7 Lion  (32-bit and 64-bit)
  • Mac OS X 10.6 Snow Leopard  (32-bit)
  • Mac OS X 10.5 Leopard
  • Mac OS X 10.4 Tiger
    Linux  (32-bit and 64-bit versions, kernel 2.6 or compatible)

Note: The following operating systems (among others) are not supported: Windows RT, Windows 2003 IA-64, Windows 2008 IA-64, Windows XP IA-64, and the Embedded/Tablet versions of Windows.

Since TrueCrypt volumes do not contain file headers and their content is indistinguishable from random data, it is theoretically impossible to identify such drives as being TrueCrypt volumes without knowing their passwords.  This is to support the concept of plausible deniability.

Note that the High-Rely implementation of encryption does not work if you use the drive in iSCSI mode. This is because the machine with the iSCSI initiator is in control of the low level format of the drive, bypassing the TrueCrypt engine. You can still use hardware encryption if the initiator has AES-NI by loading TrueCrypt on that side of the link (i.e. the server would become the encrypting machine rather than the backup appliance)

If a backup operation were active it is possible data loss may occur if you do an unsafe removal. We therefore recommend that before you unplug or turn off the Backup Appliance or remove a volume, you dismount the TrueCrypt volume first by doing clicking the safe remove button in the web interface of the appliance.

encrypt1

As can be seen in the nearby screenshot, the NAS setup allows the user to Automount encrypted volumes and enter a hidden password (the encryption key).  This significantly increases the convenience of using encrypted volumes, as the password does not need to be entered each time the NAS is turned on. However, if the NAS is not stored in a locked room this option should be chosen with care as it means someone stealing the entire NAS could simply plug it in at an alternate location and gain access to the data.  However, anyone stealing one of the removable drives would still require both the TrueCrypt engine and the encryption password, making transport of the removable drives a safe operation.

It is critical that the encryption password be remembered or securely recorded.  We have not implemented any kind of ‘backdoor’  (and will never implement any ‘backdoor’ or deliberate weakness, even if asked to do so by a government agency), because it would defeat the purpose of the software.  The source code for the engine is publicly available, independent researchers can verify that the source code does not contain any security flaw or secret ‘backdoor’. If the source code were not available, reviewers would need to reverse-engineer the executable files. However, analyzing and understanding such reverse-engineered code is so difficult that it is practically impossible to do (especially when the code is as large as the TrueCrypt code).  There is no way to rescue encrypted data if the encryption key (password) is lost.  We strongly suggest you save the key.

For a setup walkthru click here

Posted in Blog

4 Things You Have To Know About Encryption for Backup

April 2nd, 2014 by

 Encryption is becoming a more important topic as more companies struggle to meet compliance requirements and keep their data secure.  Encryption is used more than you might expect, including for various website security functions.  Backups are another important area to consider using encryption on. To completely protect your data and your backup, you should consider encrypting both the data in motion and at rest.  Here are 4 things you have to know about encryption for backup that will help you understand the landscape.

  1. There are 2 types of Encryption: Symmetric and Asymmetric. Symmetric encryption means the same mathematical “key” is used for both encrypting and decrypting.  A common example of symmetric encryption is AES (Advanced Encryption Standard), which is used for data at rest such as on hard drives or to encrypt private networks.  By contrast, in asymmetric encryption 2 different keys are used – a “public key” for encrypting and a “private key” for decrypting.  This type asymmetric encryption is referred to as public key Infrastructure (PKI) or public-key cryptography and is often used for encryption of data in motion over the Internet.  Asymmetric encryption key lengths must be longer than symmetric key lengths to provide similar protection.  A key length of 2048 bits is considered a very secure standard when using asymmetric encryption.  However, a key length of only 256 bits using AES is considered all but unbreakable when using symmetric encryption.
  2. Encrypting data can reduce Backup Performance by 80%.  There can be serious speed penalties to encryption. There is a common misconception that you can totally overcome the CPU intensive calculation penalty using the proper hardware.  But encryption can increase the size of your data and no amount of fancy hardware will change this.  AES is a block cipher and requires the input to be multiple of block size (16 bytes or 128 bits), which means padding schemes are used. Sometimes the padding is negligible, but under some conditions encrypted data sizes can increase significantly.  For example a VPN IPSec Tunnel with an Encrypted IP GRE Tunnel can increase the size of a G.711 voice packet and require 40% more bandwidth than would otherwise be required. But let’s talk about encrypting a hard drive on a typical Network Attached Storage (NAS) appliance to protect your backup.  Since many consumer grade boxes use Intel Atom or similar low end CPUs, encryption can be a big drag.  One test we did on an Atom based (and Gigabit connected) NAS showed the backup speed dropped from 89MB/sec to 19MB/sec.  That’s a difference of backing up around 320 Gigabytes of data per hour to around 68 GB/Hr.  Which brings us to our next topic – how do we improve that?
  3. Modern CPUs have hardware encryption built in.  If you will be doing encryption, you should consider using special hardware or making sure you’re doing it with a CPU that has additional hardware instructions to help your performance. intelcpu  Both AMD and Intel offer encryption support in hardware.   This feature is called AES-NI.  Starting in 2010 Intel offered their Core processor family (codename Westmere) with seven special AES instructions. Beyond improving performance, the AES instructions provide important security benefits. By running in data-independent time and not using tables, they help in eliminating the major timing and cache-based attacks that threaten table-based software implementations of AES.  As you might expect, your software must be capable of using the instructions too.  Many Intel i5, i7, and Xeon processors have AES-NI.  A few Atom processors also have it.  The difference in performance when encryption is turned on using these features can be night and day, although if you have a fast CPU doing nothing else it can sometimes overcome even it if lacks the new instructions.  Refer to this link for a list of compatible CPUS from intel.  To find out if you have AES-NI on your machine already, load and install the Intel Processor identification utility.  Check the “CPU Technologies” tab for AES New instructions as shown in the screen shot nearby.
  4. Your Backup Software Must Support the Encrypting Hardware.  OK you’ve got the right hardware.  But you won’t achieve good backup speed unless you’re OS and backup software (which is often where encryption is turned on) uses the hardware.  Check with your backup vendor to insure that not only they support encryption, but that they use the AES-NI instruction sets to do it.  A backup product like ShadowProtect supports AES-NI encryption techniques but other top tier vendors such as Veeam do not.  Either way, you can use an encrypting NAS such as a NetSwap from Highly Reliable Systems or an encrypting backup drive to overcome the software limitations.  You should also be aware if you use encryption on a laptop that some devices have an option in the BIOS that lets you enable/disable AES-NI to save battery life. 

Encryption is a necessary part of your data protection strategy.  Compliance laws like HIPAA dictate you strongly consider using it to protect yourself and your clients. Use a combination of hardware and software supporting AES with a 256 bit key to insure encryption doesn’t impact your backup or recovery time objectives.

 

 

Posted in Spotlight