Question

Session Data encryption on PRA

Forum|Forum|1 month ago
December 29, 2025
4 replies
72 views

+2

SFA
Trailblazer

we have 2 PRA appliance in cluster. The primary appliance was initially deployed as stand alone in 2020 and only in 2022 ,the second appliance was deployed. So, in secondary appliance, we can see the data encryption is already enabled but in Primary , this is not enabled and says we need to free up space. we needed a confirmation, if we fail over to current secondary, will we face issue in this scenario with one appliance data encrypted and other not?

Also, in the documents and in KB, it says secret store is required to be added but since in secondary its already enabled without external secret store, we can assume the encryption keys are stored locally? since only AWS is supported for external secret store, we are unable to add external secret store.

tclowater
BeyondTrust Employee
Forum|Forum|1 month ago
December 30, 2025

Hi @SFA -

Appliances won’t let you encrypt if there’s over 4GB of data.

However, since you do have at least one encrypted there is a path forward. Let’s rejoice on a path forward before the guidance of how to have the second one encrypted.

Step 1: Grab a towel (Hitchhiker’s Guide), teddy bear, or other items needed to not panic.

Step 2: Sync failover to the encrypted appliance

Step 3: Confirm backup and Vault Key backup

Step 4: Make the encrypted appliance primary

Step 5: wipe the unencrypted appliance, enable encryption, reinstall PRA

Step 6: Set up failover and sync

Like

tclowater
BeyondTrust Employee
Forum|Forum|1 month ago
December 30, 2025

Hey @SFA -

As well, you’re correct, the credentials are stored locally unless it’s set up in AWS Secrets Store 😊

Like

S

+2

SFA
Author
Trailblazer
Forum|Forum|1 month ago
December 31, 2025

Hi @SFA -

Appliances won’t let you encrypt if there’s over 4GB of data.

However, since you do have at least one encrypted there is a path forward. Let’s rejoice on a path forward before the guidance of how to have the second one encrypted.

Step 1: Grab a towel (Hitchhiker’s Guide), teddy bear, or other items needed to not panic.

Step 2: Sync failover to the encrypted appliance

Step 3: Confirm backup and Vault Key backup

Step 4: Make the encrypted appliance primary

Step 5: wipe the unencrypted appliance, enable encryption, reinstall PRA

Step 6: Set up failover and sync

oh had raised a case, and support mentioned we can enable encryption when the appliance is in backup state/primary state. They mentioned it will not impact enduser accesses. And it ll run parallely . is this understanding correct or should we break failover relationship and do the steps mentioned here?

Like

tclowater
BeyondTrust Employee
Forum|Forum|1 month ago
January 6, 2026

Hi @SFA -

Appliances won’t let you encrypt if there’s over 4GB of data.

However, since you do have at least one encrypted there is a path forward. Let’s rejoice on a path forward before the guidance of how to have the second one encrypted.

Step 1: Grab a towel (Hitchhiker’s Guide), teddy bear, or other items needed to not panic.

Step 2: Sync failover to the encrypted appliance

Step 3: Confirm backup and Vault Key backup

Step 4: Make the encrypted appliance primary

Step 5: wipe the unencrypted appliance, enable encryption, reinstall PRA

Step 6: Set up failover and sync

oh had raised a case, and support mentioned we can enable encryption when the appliance is in backup state/primary state. They mentioned it will not impact enduser accesses. And it ll run parallely . is this understanding correct or should we break failover relationship and do the steps mentioned here?

Hey @SFA - Always go with what support recommends! This was the understanding from discussion within the TAM team - but support always has precedence over other advice.

Like

Badge Earners

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded