Rubrik
Rubrik software encryption for data at rest works on the application level, meaning all the work and encryption is performed through software. As data is ingested, Rubrik generates a unique one-time-only symmetric Data Encryption Key (DEK). DEKs utilize the AES-256 cipher and are utilized to encrypt both the ingested backup data, along with any associated metadata generated by Rubrik. This process ensures that without the associated DEK the data is essentially unreadable, even by the Rubrik platform. This results in the need to store this associated DEK somewhere alongside the data itself.
Therefore when Rubrik needs to read this data, it must pass through two phases of encryption, first decrypting the DEK with a KEK, then decrypting the data itself. To obtain and manage KEK’s, customers can leverage an external Key Management Interoperability Protocol (KMIP) compliant key management server such as the CipherTrust Manager.
Supported Product Versions
Note
The integration is performed and certified on LTS release versions of CipherTrust Manager only. Feature releases support the integration and are covered under technical support but will not be explicitly certified. To know more about CipherTrust Manager release versions, click here.
This integration is validated on the following software versions:
CipherTrust Manager
- CipherTrust Manager 2.3 and higher
Rubrik
- Rubrik 6.0
- Rubrik 7.0
Prerequisites
Ensure that the CipherTrust Manager is installed and configured. For more details, refer to the the CipherTrust Manager Documentation
Rubrik communicates with the CipherTrust Manager using the KMIP interface. Ensure that the KMIP interface is configured on the CipherTrust Manager. For more details, refer to the Administrator Guide of CipherTrust Manager.
CipherTrust Manager recognizes only registered KMIP clients. Ensure that KMIP client is registered. Refer to the KMIP Client Registration for more details.
