Encryption Requirements
- Agents must be newly added to set up encryption.
- Agents that are already protected must be removed and re-added as an encrypted agent.
- Agents that have existing data cannot be re-paired (By FQDN or hostname).
- You can find the FAQ for encryption here and additional information regarding SIRIS encryption here.
- TCP port 3260 (iSCSI) must be open for encryption to work.
Pairing Encrypted Agents
You can choose to encrypt an agent through the System Backup Wizard screen in the Datto appliance GUI.
Figure 1: Agent Pairing
The encryption technologies on your device are designed to frustrate brute-force passphrase recovery. Datto cannot access or reset your passphrase. If you forget your passphrase, there is no way to recover your data.
After the pairing process completes, you will see an encrypted agent appear on your Agents page.
Figure 2: Agent settings
You may now interact with the agent normally.
Changing the passphrase on an encrypted agent
- Click Protect in the device web UI.
- Find the agent for which the passphrase will change, then clickChange passphrase.
Figure 3: Change passphrase (click to enlarge)
Limitations of Encrypted Agents
- Encrypted agents are uncompressed and will take up additional space on a device.
- Upon reboot, you will need to enter the passphrase for the agent to resume backups.
Figure 4: Encrypted backups (click to enlarge)
- Any restore actions require the passphrase. Restore actions include file restores, Image exports, local virtualization, and bare metal restores.
- Troubleshooting for encrypted agents is more difficult due to the need for the passphrase.
FAQ
What are the minimum requirements for an encryption passphrase?
During the encrypted agent passphrase creation process, your Datto appliance will check for passphrase strength via zxcvbn (external link) and provide feedback about its complexity in the GUI. Passphrases must adhere to the following criteria:
- A minimum length of 8 characters
- A maximum length of 128 characters
- A minimum score of 3 from zxcvbn
- Passphrases cannot contain Datto-specific common terms (Datto, SIRIS, device, partner, etc.)
Will encryption affect the support process?
For issues involving either the device in general or unencrypted agents, Datto Support Technicians will still have access via Secure Shell (SSH) and Remote Web (SSL) sessions for troubleshooting. When an issue involves an encrypted agent, and decryption is required for Datto Support to troubleshoot, partners can to open a six-hour SSH session using their passphrase. The Datto Support Technician will then be granted access to that agent’s data for the six (6) hour window to perform the necessary maintenance.
You can only open Secure SSH sessions from Remote Web (SSL) connections.
Will partners ever be required to transfer their encryption credentials to Datto?
No. You will never need to share your password with Datto Support Technicians for any troubleshooting, support, or other device maintenance processes. If for whatever reason the passphrase is ever communicated to Datto, it will need to be reset by the partner immediately to ensure security standards are maintained.
Will I be able to encrypt the agents I currently have on my device?
To use encryption on an existing agent, you must remove and re-add it to the device. Removal will delete all the agent’s local and cloud backups. Datto recommends that local recovery points be exported to external media before you remove the agent. Copying this data ensures you have incremental backups capable of virtualization in case a restore is required. You should also encrypt the external media to maintain security for exported backups.
If you would like to keep an agent’s existing recovery points on the local device and in the cloud,
you can archive it rather than removing it entirely. See the Archived Agents Knowledge Base article for more information.
How is encryption handled once I transmit data off of the local device?
Agent data will always stay in its encrypted state. Data remains encrypted when in transit to our off-site cloud (or a Private Cloud Node), while in the cloud, and while in one of our encrypted RoundTrip devices. Datto highly recommended that you utilize Datto’s RoundTrip drives to get encrypted agent data off-site.
Am I required to encrypt data for all agents on my device?
No. Agent-level encryption is an optional tool to utilize when adding a new agent.
Is there a master decryption key that Datto can use during the support process?
No. Datto does not possess a master decryption key for our encryption software. Should you ever lose your passphrase, the data associated with that agent will be permanently inaccessible. You must make this clear to your client when enabling encryption on agents.
Under our Service Level Agreement (SLA) with Datto, what is the process and timeframe for retrieval of data if I lose my encryption passphrase?
Datto is incapable of retrieving data without the partner’s encryption key. If a passphrase is lost, Datto will be unable to access, retrieve, or restore encrypted data on behalf of the partner.
I lost the passphrase for one of my agents. Can I still remove this agent from my device?
Yes, with assistance from Datto Technical Support. If you happen to lose your passphrase, please contact Support to begin the agent removal process. After Support completes the agent removal, you can re-add your agent to the device, reapply a new passphrase, and start taking new backups.
Can I change my encryption passphrase?
Yes. You may change your encryption passphrase at any time. If you choose to do so, be sure to disseminate this information to the appropriate parties in your organization.
Comments
0 comments
Please sign in to leave a comment.