Forum Discussion

Lev5240's avatar
Level 3
7 years ago

Netbackup 5240 appliance Encryption

Hello VOX community,

I am new to VOX community... Hopefully I can find an answer for what I am looking for. My questions in reagards to Netbackup 5240 Appliance Encryption.

We have bought Netbackup 5240 Appliance (Netbackup 8.1) and now in the process to migrate our existing hosts/clients from Netbackup 7.6 to the new appliance. Few of our clients have Client side Encryption backups taken. I was told that with the new appliance and new netbackup 8.1 version all backups automatically encrypted. Not really sure how this works. In  netbackup 7.6 version with client side encryption we used to create a KEYFILE on the client side and update the POLICY for the host and check the ENCRYPT option in the ATTRIBUTES tab.

Plus after you take an encrypted backup in 7.6 you could see if the backup file is in fact encrypted by running: /usr/openv/netbackup/bin/tar -tvf client1.domain_137458487345_C1_F1_137458487345.img     and look for    .Encryption_CIPHER.0

Not really sure how it works in 5240 appliance with MSDP.  Are all backups automatically encrypted? do you need to create any keyfiles? do you need to check ENCRYPT option in the POLICY under ATTRIBUTES tab.

What steps need to be taken to have a CLIENT side encryption in the new netbackup 8.1.

Thank you so much for reading this.

Really appriceaite your help.


7 Replies

  • Hi Lev5240,

    I don't believe 8.1 encrypts all backups by default. It looks like encryption hasn't changed much.  Here is the link to the NetBackup 8.1 Security and Encryption Guide:

    What I think you're talking about is that all 8.1 servers and clients now have encrypted communications between them, using TLS.  The Master server basically operates as Certificate Authority for this.  If you have earlier clients that do no support this, then you can enable insecure comms so that the 8.1 Master can talk to them.  Here is the link to the Read Me First document for Secure Communications in 8.1:

    A fairly major change so worth running through that first :smileylol:

    Hope this helps,



    • andrew_mcc1's avatar
      Level 6

      You will need to be careful here. Client Encryption will defeat deduplication, when using MSDP the normal recommendation would be to use MSDP native encryption plus tape drive encryption (SCSI T10 based Key Management Service) if also using tape-out.

      Also note MSDP Encryption is documented in the NetBackup Deduplication Guide, not the Security and Encryption Guide.


    • Lev5240's avatar
      Level 3


      Thank you for your reply. Since 5240 appliance with Netbackup 8.1all comunication is encrypted using the TLS protocol between the master and client server. How can you actually PROVE that you have taken an encrypted backup.

      With earlier versions of client encrypted backups you could run below command and look for Encryption_Cipher.0  as in example below.

      /opt/encrypted_backups # tar -tf <client>_1200321967_C1_F1.1200321967.img
      10742623350 10741770322 //
      10742672662 10742672662 //tmp/
      10742672663 10742672663 /.EnCrYpTiOn_CiPhEr.0
      10742671626 10742671610 //tmp/testfile


      How can this be proven with client encrypted backups on 5240 appliance.


      Thank you.

      • Marianne's avatar
        Level 6


        Please read through andrew_mcc1's post again.

        You should NOT use Client Encryption in the policy with MSDP.

        Please read up in NetBackup Deduplication Guide   about these topics:
        Use MSDP compression and encryption
        About MSDP encryption
        MSDP compression and encryption settings matrix
        Configuring encryption for MSDP backups
        Configuring encryption for MSDP optimized duplication and replication
        MSDP encryption behavior and compatibilities

        You will see this in one of these sections:

        Note: Do not enable backup encryption by selecting the Encryption option on the Attributes
        tab of the Policy dialog box. If you do, NetBackup encrypts the data before it reaches the
        plug-in that deduplicates it. Consequently, deduplication rates are very low. Also, NetBackup
        does not use the Deduplication Multi-Threaded Agent if policy-based encryption is configured.