NS0-530 NCIE DataFort Security Exam

Which three DataFort configuration procedures are allowed by the Setup Wizard? (Choose three.) A. Tandalone configuration B. Cluster configuration C. DataFort recovery D. DataFort trustee setup Answer: A, B, C How can you determine if the DataFort is configured to use SSL when communicating with the LKM? A. through the LKM Settings page of the WebUI B. through the Backup page of the WebUI C. using the CLI lkm show command D. through the SSL Config page of the WebUI Answer: A Which three allow automatic synchronization of keys? (Choose three.) A. cloning + LKM B. trustees C. clustering D. KM500 policy-based key-sharing Answer: A, C, D If a tape drive writes 30MB/s under stress conditions, how many tape drives can be supported by a single FC520 DataFort to achieve maximum performance from DataFort and each tape drive? A. 4 B. 5 C. 6 D. 7 Answer: C How does clustering FC DataFort appliances affect performance? A.  Each additional cluster member causes a small performance penalty. B.  All DataFort appliances must have unique paths to the same LUNs to avoid performance degradation. C.  Performance of each node increases slightly as additional cluster members are added. D.  The performance of a single DataFort is the same whether configured as a standalone or in a cluster. Answer: D Which five filtering options does the network capture capability on the DataFort allow? (Choose five.) A. filter on IP address B. filter on DNS hostname C. filter on port number D. filter on IP protocol E. filter on user ID F. filter using "and," "or," and "not" Answer: A, B, C, D, F Which two steps should be taken to ensure that a host connected to DataFort can see all devices if Port Mapped Cryptainer vaults are created for multiple devices? (Choose two.) A. grant the host access permissions to each Cryptainer vault B. add device WWPN to the host side zone C. add device virtual WWPN to the host side zone D. add host WWPN to the storage side zone Answer: A, C The FC-Series DataFort appliance will switch the data path to an alternate cluster member in the event of a hardware failure. True or false A. True B. False Answer: B According to the Decru Key Management Best Practices White Paper, when a Recovery Card has failed, what should you do to properly replace the failed card? A. Replace the single failed Recovery Card B. Replace the entire set of Recovery Cards C. zeroize the DataFort and restore from backup D. Regenerate the faulty card at LKM Answer: A According to the Decru Key Management Best Practice White Paper, what should you do to replace lost Recovery Cards? A. Replace only the single lost Recovery Card B. Replace the entire set of Recovery Cards C. zeroize the DataFort and restore from backup D. Regenerate the lost card at LKM Answer: B When initializing a new DataFort or replacing a failed DataFort, which statement about the System Card for SAN 2.x is true? A. You need an uninitialized V147 System Card. B. You need a fully initialized V147 System Card. C. You need an uninitialized V144 System Card. D. You need a fully initialized V144 System Card. E. You need an uninitialized V103 System Card. Answer: A Which two DataFort properties allow hosts to write 256k blocks to STK 99xx drives? (Choose two.) A. dfc.tape_compression_forced true B. dfc.tape_preserve_blocksize true C. dfc.support_256k_writes true D. dfc.tape_compression_enabled true E. dfc.tape_read_ahead false Answer: A, B Which are the three ways to share a key between two physical sites? (Choose three.) A. trustee B. key translation at LKM C. DataFort clustering D. master key archive E. configdb export Answer: A, B, C Which two support encryption of disk I/O? (Choose two.) A. FC520 B. FC525 C. FC1020 D. S110 E. KM500 Answer: A, B How many SCSI ports are on an S110? A. 1 B. 2 C. 3 D. 4 E. 5 Answer: B Which three DataFort configuration procedures are allowed by the Setup Wizard? (Choosethree.)A. Tandalone configurationB. Cluster configurationC. DataFort recoveryD. DataFort trustee setupAnswer: A, B, CHow can you determine if the DataFort is configured to use SSL when communicating with theLKM?A. through the LKM Settings page of the WebUIB. through the Backup page of the WebUIC. using the CLI lkm show commandD. through the SSL Config page of the WebUIAnswer: AWhich three allow automatic synchronization of keys? (Choose three.)A. cloning + LKMB. trusteesC. clusteringD. KM500 policy-based key-sharingAnswer: A, C, DIf a tape drive writes 30MB/s under stress conditions, how many tape drives can be supported bya single FC520 DataFort to achieve maximum performance from DataFort and each tape drive?A. 4B. 5C. 6D. 7Answer: CHow does clustering FC DataFort appliances affect performance?A.  Each additional cluster member causes a small performance penalty.B.  All DataFort appliances must have unique paths to the same LUNs to avoid performancedegradation.C.  Performance of each node increases slightly as additional cluster members are added.D.  The performance of a single DataFort is the same whether configured as a standalone or in acluster.Answer: DWhich five filtering options does the network capture capability on the DataFort allow? (Choosefive.)A. filter on IP addressB. filter on DNS hostnameC. filter on port numberD. filter on IP protocolE. filter on user IDF. filter using "and," "or," and "not"Answer: A, B, C, D, FWhich two steps should be taken to ensure that a host connected to DataFort can see all devicesif Port Mapped Cryptainer vaults are created for multiple devices? (Choose two.)A. grant the host access permissions to each Cryptainer vaultB. add device WWPN to the host side zoneC. add device virtual WWPN to the host side zoneD. add host WWPN to the storage side zoneAnswer: A, CThe FC-Series DataFort appliance will switch the data path to an alternate cluster member in theevent of a hardware failure. True or falseA. TrueB. FalseAnswer: BAccording to the Decru Key Management Best Practices White Paper, when a Recovery Cardhas failed, what should you do to properly replace the failed card?A. Replace the single failed Recovery CardB. Replace the entire set of Recovery CardsC. zeroize the DataFort and restore from backupD. Regenerate the faulty card at LKMAnswer: AAccording to the Decru Key Management Best Practice White Paper, what should you do toreplace lost Recovery Cards?A. Replace only the single lost Recovery CardB. Replace the entire set of Recovery CardsC. zeroize the DataFort and restore from backupD. Regenerate the lost card at LKMAnswer: BWhen initializing a new DataFort or replacing a failed DataFort, which statement about theSystem Card for SAN 2.x is true?A. You need an uninitialized V147 System Card.B. You need a fully initialized V147 System Card.C. You need an uninitialized V144 System Card.D. You need a fully initialized V144 System Card.E. You need an uninitialized V103 System Card.Answer: AWhich two DataFort properties allow hosts to write 256k blocks to STK 99xx drives? (Choosetwo.)A. dfc.tape_compression_forced trueB. dfc.tape_preserve_blocksize trueC. dfc.support_256k_writes trueD. dfc.tape_compression_enabled trueE. dfc.tape_read_ahead falseAnswer: A, BWhich are the three ways to share a key between two physical sites? (Choose three.)A. trusteeB. key translation at LKMC. DataFort clusteringD. master key archiveE. configdb exportAnswer: A, B, CWhich two support encryption of disk I/O? (Choose two.)A. FC520B. FC525C. FC1020D. S110E. KM500Answer: A, BHow many SCSI ports are on an S110?A. 1B. 2C. 3D. 4E. 5Answer: B When are Recovery Cards required in the trustee key-sharing process? A. during the establishment of only the trustee relationship B. during the establishment of the trustee relationship and the key export C. during the establishment of the trustee relationship, key export, and key import D. Recovery Cards are not required in the trustee key-sharing process. Answer: A Which two key policies allow for all keys to be pre-generated and replicated to the DR site? (Choose two.) A. key per tape B. key per pool C. Global Pool with single key D. periodic disk rekey Answer: B, C Which two statements about disk and tape I/O are true? (Choose two.) A.  Disk and tape I/O can be combined through the same standalone DataFort. B.  Disk and tape I/O can be combined through the same cluster but not through the same DataFort. C.  Disk and tape I/O cannot be combined through the same standalone DataFort. D.  Disk and tape I/O cannot be combined through the same cluster. Answer: C, D Which three factors should be considered when assessing the performance impact a DataFort will have on an existing environment? (Choose three.) A. the number of devices connected to a specific DataFort B. the type of Cryptainer vault created (LUN Mapped versus Port Mapped) C. the combined speed of all devices connected to the DataFort D. the device type, tape or disk, being connected to the DataFort Answer: A, C, D California SB1386 requires businesses and government agencies to _____. A.  encrypt personal information on onsite backup tapes when reasonable alternative methods are not in place B.  encrypt all personal information on offsite backup tapes when reasonable alternative methods are not in place C.  encrypt all personal information on both disk and backup tapes, onsite or offsite, when reasonable alternative methods are not in place D.  notify individuals if their unencrypted personal information is believed to have been disclosed to an unauthorized person E.  notify the California District Attorney Office if unencrypted personal information is believed to have been disclosed to an unauthorized person Answer: D During installation of the LKM server software, which configuration options can be specified? A. database type and schema B. target directory and license C. server port number and "using SSL" D. LKM server IP and hostname Answer: B The E-Series DataFort Local ACL feature is designed to prevent unauthorized Windows administrators from gaining Cryptainer access by adding themselves to _____. A. the DataFort Local ACL B. the share ACL C. a group on the server ACL D. a Cryptainer ACL Answer: B Which two statements are true about the NAS Audit Trail log configuration from the E-Series DataFort WebUI? (Choose two.) A. They cannot be signed. B. They cannot be configured to write to the E-Series DataFort Database. C. They can be configured to audit file access. D. They cannot be sent to a Windows event log. Answer: B, C What happens when the DataFort detects an intrusion? A. The DataFort denies all logins and shuts down. B. The DataFort begins beeping. C. The DataFort deletes all data on the servers and iSCSI portals. D. The DataFort stops encrypting and decrypting data. Answer: D What is the maximum number of hosts supported by an FC525? A. 16 B. 32 C. 160 D. 256 Answer: B The tape drives are operating at maximum throughput at 2:1 compression. How many LTO2 tape drives can be used with an FC1020 before becoming throughput limited? A. 3 B. 5 C. 15 D. 25 E. 35 Answer: C According to the Decru Key Management Best Practices White Paper, when a Recovery Card has failed, what should you do to properly replace the failed card? A. Replace the single failed Recovery Card B. Replace the entire set of Recovery Cards C. zeroize the DataFort and restore from backup D. Regenerate the faulty card at LKM Answer: A Under SAN STORAGE SETTINGS in the DataFort WebUI, you have the following Virtualization Settings: Host ON (Virtualize up to 7 storage devices on the host side) Storage OFF (Do not virtualize the storage side) Given these settings, which three statements are true? (Choose three.) A. The DataFort host port cannot connect to an F type switch port. B. The DataFort storage port cannot connect to an F type switch port. C. You can virtualize up to 7 hosts devices. D. You can virtualize up to 7 storage devices. E. The DataFort host side is in multi-ID mode. F. The DataFort host side is in single-ID mode. Answer: A, D, E The DataFort has properly discovered host and storage devices. Port Mapped Cryptainer vaults have been created and permissions have been granted. However, the host does not see the storage device. What is the most likely reason for this? A.  The customer is hard zoned, but forgot to add the DataFort virtual WWNs to the DataFort host side zone. B.  The customer is soft zoned, but forgot to add the DataFort virtual WWNs to the DataFort host side zone. C.  The customer is hard zoned, but specified the wrong port on the DataFort host side. D.  The customer is hard zoned, but specified the wrong port on the DataFort storage side. Answer: B What is the purpose of a Recovery Officer? A. authorizes procedures that may threaten data security B. authorizes decryption of tapes through the appliance that created them C. authorizes admin users who require prior authorization to log in D. performs backups of the DataFort appliance configuration database E. authorizes Cryptainer recovery operations Answer: A An FC1020 supports about how much total throughput? A. 250 MB/s B. 1 GB/s C. 2 GB/s D. 5 GB/s E. 10 GB/s Answer: B The model of tape drive influences which two decisions? (Choose two.) A. If Preserve Block Size should be used B. If Global Pool feature should be used C. How many drives can be used through a single DataFort for maximum drive throughput D. If Port Mapping is required E. If port zoning is required Answer: A, C To make sure that encrypted data is accessible for each data path, it is important to share encryption keys among DataFort appliances. Which three key-sharing methods supported by DataFort help ensure data access? (Choose three.) A. Key Translation B. clustering C. trustees D. Public Key Infrastructure (PKI) Answer: A, B, C Which three are required to perform data recovery at a site that does not have a DataFort appliance? (Choose three.) A. A copy of the Decru Data Decryption software B. The appropriate key exported as a file from LKM C. A full admin password to the DataFort that created the key used to encrypt the data D. The password for the exported key file Answer: A, B, D Which two can be used to configure the management interface on an FC525? (Choose two.) A. WebUI IP Settings page B. CLI net util ifconfig command C. Serial console menu D. front panel LCD E. LKM DataFort Setup page Answer: A, C When are Recovery Cards required in the trustee key-sharing process?A. during the establishment of only the trustee relationshipB. during the establishment of the trustee relationship and the key exportC. during the establishment of the trustee relationship, key export, and key importD. Recovery Cards are not required in the trustee key-sharing process.Answer: AWhich two key policies allow for all keys to be pre-generated and replicated to the DR site?(Choose two.)A. key per tapeB. key per poolC. Global Pool with single keyD. periodic disk rekeyAnswer: B, CWhich two statements about disk and tape I/O are true? (Choose two.)A.  Disk and tape I/O can be combined through the same standalone DataFort.B.  Disk and tape I/O can be combined through the same cluster but not through the sameDataFort.C.  Disk and tape I/O cannot be combined through the same standalone DataFort.D.  Disk and tape I/O cannot be combined through the same cluster.Answer: C, DWhich three factors should be considered when assessing the performance impact a DataFortwill have on an existing environment? (Choose three.)A. the number of devices connected to a specific DataFortB. the type of Cryptainer vault created (LUN Mapped versus Port Mapped)C. the combined speed of all devices connected to the DataFortD. the device type, tape or disk, being connected to the DataFortAnswer: A, C, DCalifornia SB1386 requires businesses and government agencies to _____.A.  encrypt personal information on onsite backup tapes when reasonable alternative methodsare not in placeB.  encrypt all personal information on offsite backup tapes when reasonable alternative methodsare not in placeC.  encrypt all personal information on both disk and backup tapes, onsite or offsite, whenreasonable alternative methods are not in placeD.  notify individuals if their unencrypted personal information is believed to have been disclosedto an unauthorized personE.  notify the California District Attorney Office if unencrypted personal information is believed tohave been disclosed to an unauthorized personAnswer: DDuring installation of the LKM server software, which configuration options can be specified?A. database type and schemaB. target directory and licenseC. server port number and "using SSL"D. LKM server IP and hostnameAnswer: BThe E-Series DataFort Local ACL feature is designed to prevent unauthorized Windowsadministrators from gaining Cryptainer access by adding themselves to _____.A. the DataFort Local ACLB. the share ACLC. a group on the server ACLD. a Cryptainer ACLAnswer: BWhich two statements are true about the NAS Audit Trail log configuration from the E-SeriesDataFort WebUI? (Choose two.)A. They cannot be signed.B. They cannot be configured to write to the E-Series DataFort Database.C. They can be configured to audit file access.D. They cannot be sent to a Windows event log.Answer: B, CWhat happens when the DataFort detects an intrusion?A. The DataFort denies all logins and shuts down.B. The DataFort begins beeping.C. The DataFort deletes all data on the servers and iSCSI portals.D. The DataFort stops encrypting and decrypting data.Answer: DWhat is the maximum number of hosts supported by an FC525?A. 16B. 32C. 160D. 256Answer: BThe tape drives are operating at maximum throughput at 2:1 compression. How many LTO2 tapedrives can be used with an FC1020 before becoming throughput limited?A. 3B. 5C. 15D. 25E. 35Answer: CAccording to the Decru Key Management Best Practices White Paper, when a Recovery Cardhas failed, what should you do to properly replace the failed card?A. Replace the single failed Recovery CardB. Replace the entire set of Recovery CardsC. zeroize the DataFort and restore from backupD. Regenerate the faulty card at LKMAnswer: AUnder SAN STORAGE SETTINGS in the DataFort WebUI, you have the following VirtualizationSettings: Host ON (Virtualize up to 7 storage devices on the host side)Storage OFF (Do not virtualize the storage side) Given these settings, which three statements aretrue? (Choose three.)A. The DataFort host port cannot connect to an F type switch port.B. The DataFort storage port cannot connect to an F type switch port.C. You can virtualize up to 7 hosts devices.D. You can virtualize up to 7 storage devices.E. The DataFort host side is in multi-ID mode.F. The DataFort host side is in single-ID mode.Answer: A, D, EThe DataFort has properly discovered host and storage devices. Port Mapped Cryptainer vaultshave been created and permissions have been granted. However, the host does not see thestorage device. What is the most likely reason for this?A.  The customer is hard zoned, but forgot to add the DataFort virtual WWNs to the DataForthost side zone.B.  The customer is soft zoned, but forgot to add the DataFort virtual WWNs to the DataFort hostside zone.C.  The customer is hard zoned, but specified the wrong port on the DataFort host side.D.  The customer is hard zoned, but specified the wrong port on the DataFort storage side.Answer: BWhat is the purpose of a Recovery Officer?A. authorizes procedures that may threaten data securityB. authorizes decryption of tapes through the appliance that created themC. authorizes admin users who require prior authorization to log inD. performs backups of the DataFort appliance configuration databaseE. authorizes Cryptainer recovery operationsAnswer: AAn FC1020 supports about how much total throughput?A. 250 MB/sB. 1 GB/sC. 2 GB/sD. 5 GB/sE. 10 GB/sAnswer: BThe model of tape drive influences which two decisions? (Choose two.)A. If Preserve Block Size should be usedB. If Global Pool feature should be usedC. How many drives can be used through a single DataFort for maximum drive throughputD. If Port Mapping is requiredE. If port zoning is requiredAnswer: A, CTo make sure that encrypted data is accessible for each data path, it is important to shareencryption keys among DataFort appliances. Which three key-sharing methods supported byDataFort help ensure data access? (Choose three.)A. Key TranslationB. clusteringC. trusteesD. Public Key Infrastructure (PKI)Answer: A, B, CWhich three are required to perform data recovery at a site that does not have a DataFortappliance? (Choose three.)A. A copy of the Decru Data Decryption softwareB. The appropriate key exported as a file from LKMC. A full admin password to the DataFort that created the key used to encrypt the dataD. The password for the exported key fileAnswer: A, B, DWhich two can be used to configure the management interface on an FC525? (Choose two.)A. WebUI IP Settings pageB. CLI net util ifconfig commandC. Serial console menuD. front panel LCDE. LKM DataFort Setup pageAnswer: A, C If a DataFort 2.x or later appliance fails, which three information sources can be used with the DataFort Wizard to recreate the configuration information on a replacement? (Choose three.) A. *.xdf file from LKM software/appliance B. mysqldump of DataFort configDB C. *.xdf file from manual backup D. *.lkm file from LKM software/appliance E. surviving cluster member Answer: A, C, E In 2.x firmware, how many virtual storage devices (targets) and virtual client hosts (initiators) can be attached to a single FC525 model DataFort? A. 1 virtual storage device and 8 virtual client hosts B. 7 virtual storage device and 7 virtual client hosts C. 8 virtual storage device and 8 virtual client hosts D. 8 virtual storage device and 32 virtual client hosts E. 16 virtual storage device and 128 virtual client hosts Answer: B Which two can authorize Key Translation? (Choose two.) A. the source DataFort administrator B. the destination DataFort administrator C. the LKM administrator D. a quorum of Recovery Cards and passwords E. a Recovery Key Archive file Answer: D, E Which procedure is used to move keys between LKM servers or appliances that do not share network connectivity? A. clustering B. key export and import C. Key Translation D. tape metadata Answer: B Which is a correct System Card replacement procedure for SAN 2.x? A.  zeroize DataFort and restore with an initialized System Card and a recent configdb using a quorum of Recovery Cards B.  zeroize DataFort and join an existing cluster with an uninitialized System Card and a quorum of Recovery Cards C.  insert an uninitialized System Card into the DataFort and perform a System Card replacement using a quorum of Recovery Cards D.  insert an initialized System Card from an existing cluster member and perform a System Card replacement using a quorum of Recovery Cards Answer: B Which two statements are true about signed DataFort log messages? (Choose two.) A. They contain a verifiable digital signature. B. They can only be authenticated on the DataFort that generated the log message. C. They may not be sent to a syslog server. D. They may not be sent to a Windows event log. Answer: A, B If you have an 8-node cluster, how many members must be online in the cluster in order to create Cryptainer vaults? A. 1 B. 4 C. 5 D. 8 Answer: C Which two statements are true if a System Card is removed in a functional, fully initialized DataFort? (Choose two.) A. Encryption services are disabled after a reboot. B. Encryption services halt within five minutes of card removal. C. Recovery Card replacement does not work. D. DataFort sends SNMP trap and initiates shutdown to protect access to encrypted data. Answer: A, C In SAN 2.x, how many targets can be virtualized on an FC520? A. 1 B. 7 C. 8 D. 31 Answer: B If a DataFort 2.x or later appliance fails, which three information sources can be used with theDataFort Wizard to recreate the configuration information on a replacement? (Choose three.)A. *.xdf file from LKM software/applianceB. mysqldump of DataFort configDBC. *.xdf file from manual backupD. *.lkm file from LKM software/applianceE. surviving cluster memberAnswer: A, C, EIn 2.x firmware, how many virtual storage devices (targets) and virtual client hosts (initiators) canbe attached to a single FC525 model DataFort?A. 1 virtual storage device and 8 virtual client hostsB. 7 virtual storage device and 7 virtual client hostsC. 8 virtual storage device and 8 virtual client hostsD. 8 virtual storage device and 32 virtual client hostsE. 16 virtual storage device and 128 virtual client hostsAnswer: BWhich two can authorize Key Translation? (Choose two.)A. the source DataFort administratorB. the destination DataFort administratorC. the LKM administratorD. a quorum of Recovery Cards and passwordsE. a Recovery Key Archive fileAnswer: D, EWhich procedure is used to move keys between LKM servers or appliances that do not sharenetwork connectivity?A. clusteringB. key export and importC. Key TranslationD. tape metadataAnswer: BWhich is a correct System Card replacement procedure for SAN 2.x?A.  zeroize DataFort and restore with an initialized System Card and a recent configdb using aquorum ofRecovery CardsB.  zeroize DataFort and join an existing cluster with an uninitialized System Card and a quorumof Recovery CardsC.  insert an uninitialized System Card into the DataFort and perform a System Cardreplacement using a quorum of Recovery CardsD.  insert an initialized System Card from an existing cluster member and perform a System Cardreplacement using a quorum of Recovery CardsAnswer: BWhich two statements are true about signed DataFort log messages? (Choose two.)A. They contain a verifiable digital signature.B. They can only be authenticated on the DataFort that generated the log message.C. They may not be sent to a syslog server.D. They may not be sent to a Windows event log.Answer: A, BIf you have an 8-node cluster, how many members must be online in the cluster in order to createCryptainer vaults?A. 1B. 4C. 5D. 8Answer: CWhich two statements are true if a System Card is removed in a functional, fully initializedDataFort? (Choose two.)A. Encryption services are disabled after a reboot.B. Encryption services halt within five minutes of card removal.C. Recovery Card replacement does not work.D. DataFort sends SNMP trap and initiates shutdown to protect access to encrypted data.Answer: A, CIn SAN 2.x, how many targets can be virtualized on an FC520?A. 1B. 7C. 8D. 31Answer: B