SUMMARY
Encryption and security of data during transfer and at rest
DESCRIPTION
Transfer
From vSphere/ESX:
Data is read from the vSphere environment using the Boomerang appliance, and then directly uploaded into the object storage location eg. S3. No data is persisted on the appliance.
Reading data from the vSphere environment is performed using the VDDK - initially using Network Block Device (NBD) then failing to SAN and HOTADD respectively. The default communication port is TCP 902.
NBD connections are based on the level of support from ESX. The initial connection will be attempted over NBDSSL, which will encrypt the data in transport using SSL. If NBDSSL is not supported by the ESX environment, this will then attempt to use NBD non-encrypted to access the data.
To Object Storage - in this case (S3)
All data is transferred over https (TCP 443) - directly into the S3 api endpoints. Authentication of the request into S3 uses AWS Signature Version 4 if required (http://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)
At Rest
vSphere
No data is persisted on the appliance. Any snapshots called during replication will be removed when the replication has completed.
Amazon Web Services
All data stored in S3 is encrypted using Amazon S3-managed encryption keys (SSE-S3) - AES256 encryption on all objects uploaded.
When an instance is created in EC2, data inside the instance is not encrypted (and the data is copied and no longer at rest)