Forum Discussion

Lev5240's avatar
Lev5240
Level 3
7 years ago

what are the steps for using MSDP Encryption

Hello,

We have Netbackup Appliance 5240. I am trying to figure out what are the steps to configure MSDP encryption? I have read  "MSDP encryption" guide and it says that by default MSDP encryption is disabled. You could modify  pd.conf on the client in order to have encrypted backup. 

1. so if I modify pd.conf on the client  (/usr/openv/lib/ost-plugins/pd.conf) and add ENCRYPTION = 1. Will the backups be encrypted on the host before being transfererred to the MSDP on the 5240 appliance?  

This option only works for the clients where you modify pd.conf.

2. I also read that if I want to enable MSDP encryption for all the hosts I need to log in to shell menu on 5240 appliance and modify contentrouter.cfg. I am not sure what is the full path for contentrouter.cfg file and how to access it and what needs to be updated in that file. Can someone please list steps needed to use MSDP encryption for all the backups.

 

Thank you.

 

 

 

  • jnardello's avatar
    jnardello
    6 years ago

    Excerpt from our build doc :


    # Make absolutely sure encryption at rest and in transit is always enabled
    ENCRYPT_TMP=/tmp/encrypt.tmp
    if [ -f ${ENCRYPT_TMP} ];then rm ${ENCRYPT_TMP};fi
    grep "^ENCRYPTION = 0" /usr/openv/lib/ost-plugins/pd.conf > /dev/null
    if [ $? -eq 0 ];then
        echo Enabling encryption at rest.
        sed 's/^ENCRYPTION = 0/ENCRYPTION = 1/g' /usr/openv/lib/ost-plugins/pd.conf > ${ENCRYPT_TMP}
        mv /usr/openv/lib/ost-plugins/pd.conf /usr/openv/lib/ost-plugins/pd.conf_`date +"%m%d%y%H%M%S"`
        mv ${ENCRYPT_TMP} /usr/openv/lib/ost-plugins/pd.conf
    fi
    grep "^OPTDUP_ENCRYPTION = 0" /usr/openv/lib/ost-plugins/pd.conf > /dev/null
    if [ $? -eq 0 ];then
        echo Enabling encryption in transit.
        sed 's/^OPTDUP_ENCRYPTION = 0/OPTDUP_ENCRYPTION = 1/g' /usr/openv/lib/ost-plugins/pd.conf > ${ENCRYPT_TMP}
        mv /usr/openv/lib/ost-plugins/pd.conf /usr/openv/lib/ost-plugins/pd.conf_`date +"%m%d%y%H%M%S"`
        mv ${ENCRYPT_TMP} /usr/openv/lib/ost-plugins/pd.conf
    fi

    You could also do this via the CLISH if you want. Settings-->Deduplication-->Tune ENCRYPTION enable
    Settings-->Deduplication-->Tune OPTDUP_ENCRYPTION enable

6 Replies

Sort By
Replies have been turned off for this discussion
  • smsaccet1's avatar
    smsaccet1
    Level 4
    7 years ago

    To answer to your first question

    This setting needs to be modified in 5240 appliance which would allow all clients' data stored in MSDP as encrypted format. If  your appliance version is 2.7.x, it uses blowfish algorithm for the encryption. If it is 8.x, it uses AES 256/512 encryption 

    • Lev5240's avatar
      Lev5240
      Level 3
      7 years ago

      Hello smsaccet1,

      Thank you for your reply. Our appliance version is 3.1.  What encryption algorithm will it use?

      Also what file and please specify the full path of the file that I need to update and what needs to be updated and if anything needs to be restarted.

      Also how can I check if my backups in MSDP pool are actually getting encrypted after changing the above setting.

       

      Thank you.

    • Lev1's avatar
      Lev1
      Level 1
      7 years ago

      Hello smsaccet1,

      Thank you for your reply. Our appliance version is 3.1.  What encryption algorithm will it use?

      Also what file and please specify the full path of the file that I need to update and what needs to be updated and if anything needs to be restarted.

      Also how can I check if my backups in MSDP pool are actually getting encrypted after changing the above setting.

      Thank you.