How can you make backup and encryption products work together without having to completely reinvent the wheel?
The answer lies in understanding how the encryption works, and realizing the differences between restoring file-based backups and full-disk backups. Symantec Endpoint Encryption Full-Disk Edition encrypts the hard drive at a sector level, running at a low level beneath the operating system. Individual files are not encrypted; the disk itself is encrypted. So when you perform file-based backups rather than full-disk backups, the encryption of the disk has no effect on the files and you can restore them exactly as you always have.
Full-disk backups are a different story. When you have Endpoint Encryption running, a backup product can easily take a full snapshot of the drive in cleartext. With traditional Symantec backup programs such as NetBackup, Ghost Solution Suite, PureDisk, Backup Exec, and Altiris Recovery Solution, there is nothing related to encryption in the backup process, so backup images are created in cleartext. But if you want to recover a backed up image later, the image will not be encrypted when it is written to the disk. What you need to do is restore the cleartext image to the disk, and then re-install the encryption. You can perform these steps manually, or you can build a script to take care of it.
Encrypting only non-white space
One useful feature offered by Endpoint Encryption is the option of having only non-white (used) space encrypted. To use this feature, select "Include unused disk space when encrypting partitions" in the Advanced Options section of the Full Disk Installation Settings screen. If you have a drive where some segments contain data and other segments don't contain data, this option will tell the encryption program to encrypt only the parts of the drive that contain data. The encryption will go more quickly as a result.
If you have a drive that has been in use and you don't reformat it, and you don't re-image it immediately from a backup, there may be data remaining on the drive that the operating system thinks has been erased. So if you encrypt the part of the drive that is supposedly empty, you risk losing sensitive data. If you want to encrypt only non-white space and be sure not to lose sensitive data, you need to be sure that the areas you are reporting as empty actually are empty by overwriting them with zeros.
However, if you do a full backup and then reformat the drive before restoring the image, you can perform a quick encryption of the non-white space because you will know for sure that the remainder of the disk is empty and you need not worry about losing any data.
For more information about how Symantec Endpoint Encryption can help you keep data secure, click here.
|