How to setup client-side and server-side encryption in Zmanda
Introduction
Zmanda uses AES-256-bit encryption. You also have the option to choose between server-side and client-side encryption.
Choosing where encryption takes place will depend on your requirements. If the data must be encrypted from source to storage, then client-side encryption is recommended. If this level of security is not required and/or if consuming client-side memory and CPU is a concern, encryption can be done on the server. It is also possible to disable encryption entirely.
Furthermore, Zmanda provides the option to bring your own encryption keys. You will be required to protect and manage your own keys - doing so is essential for data restoration.
You must have also installed and configured the Linux or Windows agent on the source system. See these links for more details:
- Linux
- Windows
How to enable encryption in Zmanda
1. Login to the ZMC
2. Go to Sources>ADD SOURCE> and choose the source you would like to create
3. Under the Encryption Strategy dropdown, choose On Server or On Client.
4. Configure the rest of the source details as desired, and click SAVE
About encryption in Zmanda
Client-side encryption on a Windows system requires that you generate and input your own encryption key in the Zmanda Windows Client (ZWC) Configuration Utility.
After generating and saving a new key using the tool of your choice, go to your Windows client system, open the ZWC Config Utility, go to the Advanced tab, and input the key in the AES Key field. Click Save, then Exit.
Linux systems, including the backup server, will automatically generate an encryption key which is stored in the /var/lib/amanda/.am_passphrase file. Each system has a unique key. You are responsible for the management of your keys, so be sure to copy them to a secure location along with the sources they are associated with.
Restoring Data
Server-Encrypted Data
Server-encrypted data will automatically be decrypted by the server upon restoration. Simply ensure that the server encryption key from the /var/lib/amanda/.am_passphrase file is the same as the key you used to encrypt the data.
Linux Client-Encrypted Data
First, save a copy of the encryption key on the Zmanda server from /var/lib/amanda/.am_passphrase. Then, replace the contents of the same file on the backup server with the encryption key from the client (you can find the encryption key on the same path as on the server). Finally, run the restore.
Windows Client-Encrypted Data
The Windows system to where the data is being restored must have the same encryption key that was used to encrypt the data input in the AES Key field as shown in the above screenshot.