If I wish to enable encryption on an existing repository do I need to make space pre emptively?
That is to say I understand making an encryption key will force new base images for all protected machines. I will not have enough space to do this.
Besides space are there any other things to look out for before I try this?
To be precise, as you already noted, the repository is not encrypted, recovery points are. As such, as you mentioned, after enabling an encryption key for specific agents, new base images are needed. The best solution, in my opinion, is taking advantage of the archiving capabilities or RR by archiving some recovery chains in stages (for those who are not aware, RR 6+ archives are mountable as Read Only Repositories) and start fresh with encrypted recovery chains. When the retention period expires, the archives can be discarded and the media used for archiving other unencrypted recovery chains. thus increasing the available repository space for encrypted chains. This approach may take some time though...
I'm not sure I understand how I would go about that? Are you saying basically just add a key to one agent at a time and let it's backup chain run out over time before adding another?
What about just encrypting the whole repository (in my case a RAID 10 array) with Bitlocker?
Hi Corrigun -- you are correct, I proposed a staged transition.
I had some bad experiences with bitlocker so I am not really ready to recommend it (my work laptop is bitlocker encrypted and more than once I was unable to use it after a mandatory upgrade of the software/firmware, despite having the unlock key). However if you have experience using it and plan for system failure (which may happen at some point), I do not see a downside. I suspect that since you are running RAID10 you get enough IOPS to be OK with the minimal performance loss induced by bitlocker.