Skip to content
Datamotive

Security

Encryption and compression

Data protection in transit — encryption on wire, TLS 1.3 for APIs and GUI, compression, and platform-native encryption at rest.

Product
Datamotive Platform
Version
v2.0.3
Last updated
Updated
Reading time
2 min read

Datamotive secures data on three layers: all inter-node transfers are secured, replication data can additionally be encrypted on the wire per plan, and the management interfaces run on TLS 1.3.

Replication data in transit

  • All inter-node transfers are secured. Connectivity between Datamotive nodes — within and across sites — carries metadata and protected VM data over private subnets or secured VPN tunnels, per your network design.
  • Encryption on Wire is a per-plan replication option that encrypts data in transit from source to destination. Encrypted replication traffic uses the dedicated port 5002 (see Ports).
  • Compression is a per-plan option applied in transit; the dashboard's Data Reduction metric reports the achieved average across compression-enabled replications.
  • Dedupe further reduces transferred data by reusing already-replicated chunks via the DeDup Node — see Block transfer.

Set all three in the plan's replication configuration.

Management interfaces

The GUI and REST APIs are served over TLS 1.3 from the Management Server (port 5000). Nodes ship with a self-signed certificate; replace it with a CA-signed or custom certificate using the documented CLI procedure — see Maintenance — SSL certificate.

Encryption at rest

At rest, recovered and replicated data uses the target platform's native storage encryption:

  • AWS — KMS-encrypted EBS volumes are supported. If disk encryption is used, the Datamotive IAM user needs the documented KMS key permissions on all keys in the primary and DR sites, and the encryption KMS key is selected per VM in the recovery configuration. Target disk encryption depends on the source disks being encrypted, and enabling an encryption key for an instance cannot be reversed.
  • Azure — disk-access modes (Allow All / Allow Private / Deny All) and disk access keys are configured per VM in the recovery configuration.

Appliance hardening

All Datamotive appliances are based on CIS-hardened Ubuntu Server images, shipped as OVAs or cloud-native machine images.

Related docs

Related articles

Was this page helpful?