This is a question from one of my customers:
A further note, within the DLO Admin Guide (v7.6), it mentions the following:
It looks like the passphrase configured in the Admin Console is used for encrypting the encryption keys, but the keys themselves are internally generated by DLO. Is it possible to get further information on the process for generating the encryption keys?
Does Symantec have a white paper on this process? If not, is it possible to explain exactly what happens.
NB: These questions are coming from the security team who are trying to protect the backups of their executives' data.
DLO uses active directory for user authentication. For each user it generates unique key (user key). User key gets encrypted twice first with AES-256 encryption and then key is encrypted again using Global Recovery Key (public key) before it travels over a wire. Algorithm used for second encryption is RSA-OAEP (MGF1 with SHA1). Public key in use is generated using global recovery credentials. With this mechanism every user has a unique two fold encryption layer security for their data.
If you need further details request to me on my e-mail id.