Backup and De-duplication of Encrypted Data

Data can be encrypted. Data can be backed-up. And data can be de-duplicated. But can that same data be encrypted, backed up and then de-duped? As usual, it depends …

Recently we received a question looked for clarification on the potential de-duplication of encrypted virtual machine data. The question was based around a solution environment which provided VM-level encryption as well as backup on the same VMs. The concern was whether or not de-duplication would be possible or effective at the backup appliance stage.

The primary products involved are:

While the customer wanted to encrypt their virtual machine data with CloudLink SecureVM, they also wanted to take advantage of the ability of Data Domain to dedupe that same data once the VM was backed up. In this scenario Avamar was the backup engine, using Data Domain to store, dedupe and/or compress the backed-up data.

The main stumbling point is that the encryption is taking place at the VM-level.

Because the data is being encrypted at the VM-level, this means that the backed-up data cannot be de-duplicated by the Data Domain (The same also applies to compression of the backed-up data) ….

… BUT, hold tough, all is not lost. There is a workaround or a compromise to be found.

While it’s true that VM-level volume encryption limits the ability to compress and de-dupe the backed-up data, SecureVM does allow the user to control/specify which VM volumes are encrypted.


Considering that the most benefit is typically derived from de-duplication of boot volumes/root partitions, the user could opt to leave these volumes un-encrypted, and encrypt only the data volumes.

So while it’s not entirely Win-Win, there’s definitely some Win in there!

All of the above is in reference to VM-level encryption, which is storage agnostic, but what about storage level encryption, such as with vSAN? 

vSAN encryption operates at a lower level (Data-at-Rest Encryption) where images pulled out of encrypted vSAN can realise the benefits of dedupe and compression. CloudLink is also capable as a KMIP-compliant key manager to enable vSAN encryption e.g. on VxRail and VxRack SDDC.

For more VMware-specific information, @keiltypeter has a great summary of  What’s New in vSphere 6.5:Security which includes links to resources and posts by @mikefoley and @DuncanYB covering the associated considerations and benefits of VM Encryption in vSphere v6.5 and vSAN encryption.

Hope that helps!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.