Recommended Encryption option for NBU Appliance??
I think we have two options available to enable encryption on Netbackup Appliance 5240. I am using 5240 as media server.
1. Local Encryption provided by appliance itself - Manage > Host > Deduplication > Encryption - Enable
2. Use KMS to create a Key on appliance media server and backup will be encrypted using the key & controlled by Master Server
Which option is recommended or you prefer?? Please share the pros and cons of either option with respect to performance and dedupe rate. Please share your experience if you had to opt-out KMS or Appliance Encryption.
You are correct - there is very little activity here from knowledgeable Appliance experts.
I will add my 2c with the following disclaimers:
1. I am not an Appliance expert
2. I am not an Encryption expert and have never been ask to assist with configuration.IMHO - KMS is used for tape drives (LTO4 or later). So, if the customer has a requirement to have tapes encrypted, then KMS needs to be configured.
There is short section in Appliance Security Guide:
https://www.veritas.com/content/support/en_US/doc/96220900-127024912-0/v97514945-127024912As far as MSDP encryption is concerned, it will again come down to customer requirements - 'in flight' and/or 'at rest'.
For 'in flight' encryption, I would look at this section in the Dedupe Guide:
“To configure backup encryption on all client-side deduplication clients”.If only 'at rest' MSDP encryption is required, I would look at :
“To configure backup encryption on a single host”.
Or no 1 in your opening post:
1. Local Encryption provided by appliance itself - Manage > Host > Deduplication > Encryption - EnableHTH
Thanks for sharing the encryption details Marianne
I ended up working with Support and gained significant details on the appliance encryption. Looks like KMS is better option with more control over keys and supports encryption standards. Also, Veritas seems more inclined towards KMS.
The local encryption (at rest) on the appliance is AES-256 bit and it's totally managed by appliance itself without any control to the Admin - https://www.veritas.com/content/support/en_US/doc/25074086-130388296-0/v95643059-130388296
3.1.1 onwards NetBackup Appliance FIPS compliant but read if's & but's before enabling it - https://www.veritas.com/content/support/en_US/doc/25074086-130388296-0/v130212944-130388296
NetBackup KMS has two methods to generate the encryption keys. 1) randomly, or 2) from pass-phrases.
If you use method 1) then if you loose the KMS database then all encrypted backup data is permanently lost forever. If you use this method then you *must* backup/copy/save your KMS database to an alternate (offsite too?) location.
If you use method 2) then if you loose the KMS database then you can re-create the encryption keys from the pass phrases - assuming you saved the pass-phrases somewhere (offsite too?). Also, note how if you use this method then you do not need to backup and copy your KMS database - because you can always re-create the KMS database from the pass-phrases - so you *must* save your pass-phrases somewhere.
See Martin's mph999 recommendation here:
.
I recommend method 2 above.
.
So - how can you keep the (three) pass-phrases safe and secret and re-usable in a DR situation?
...my recommendaton - get some tools and get punching... you will need:
1) at least six long-ish narrow-ish thin-ish strips of metal - that you will turn in to dog-tags
2) a set of letter/number punches, upper case A to Z, and numbers 0 to 9
3) one hammer
4) one pair of safety glasses / goggles / squints
5) one drill plus a (10mm?) metal drill-bit
6) two key chain rings / holders
7) two good safes - one for local storage, one for DR storage
.
Procedue:
1) generate three random character pass-phrases, each of at least 32 characters
N.B: do *not* use 0 and O, do *not* use I and 1, do *not* use 5 and S - i.e. remove either 0 1 5 from your pass phrases - or remove O I S from your pass-phrases
(I can supply a VBscript, if you want, that can generate the random pass-phrases)
2) temporarily make a note of these pass phrases on paper
3) configure KMS from the pass-phrases, and test
4) test loss of KMS database, and re-creation of keys from pass-phrases, and test restore of previously encrypted backup data
...you now know that your phrases and process are good, so now save the pass-phrases as permanently as you can, as follows...
5) "engage safety squints" - I mean put your safety glasses / goggles on
6) punch the three phrases in to the metal strips - make two sets of three (hence six strips of metal)
7) drill a hole into each metal strip
8) attach the strips to the rings to create two sets
9) get someone else to verify that the punched pass-phrases match your written notes
10) burn, or eat, your noted pass-phrases
11) store one set of punched pass-phrases in your local safe
12) store one set of punched pass-phrases in your DR safe
13) (there is no step 13)
14) it might be a good idea to now re-test using the punched pass-phrases
.
Overkill? Really? Proper peace of mind for a few $ and few hours effort. But admittedly the safes might cost a bit. Anyway, in five / ten years time, hopefully it will never happen, but maybe your colleagues/boss/CIO will be thanking you.
.
HTH.
good luck.
