Forum Discussion

sdw305's avatar
sdw305
Level 3
12 years ago

MSDP encryption (ServerOptions=agent_crypt) (or should it be =encrypt)

Hi Forum,

Page 30 of the NetBackup Deduplication Guide v7.5 says that... by default MSDP encryption is disabled by default, but they it is recommended by Symantec.

Page 70 says that to enable encryption that we need to add "agent_crypt" to "ServerOptions=" in the ContentRouter.cfg file.

But looking at the comments in the file:

 

; [no]agent_crypt      : always disable/enable client-side encryption;
; [no]encrypt          : always disable/enable encryption;

...indicates that using "agent_crypt" instructs the client-side deduplication agent to encrypt data.

At our site we are not implementing client side deduplication so it woudl seem to me that setting :agent_crypt" won't have any effect.

 

My questions are:

1) Is "agent_crypt" really the option to use if what we are trying to achieve is encryption of the post-dedupe blocks on teh MSDP data storage local to teh MSDP media server?

2) What does the "ServerOptions=encrypt" option do, and how is it different to "agent_crypt" ?

3) If we can determine which option really does enable post-dedupe encryption - then does anyone know what the CPU overhead is ?

4) Are there any particular models of CPU (SPARC or Intel or AMD) that implement the encryption/decryption in their hardware instruction sets - i.e. are there any CPUs that are much better suited for use with MSDP encryption ?

Thanks,

Dave.

  • Setting "agent_crypt" will enable encryption on the client side, while "crypt" will enable encryption on the server side.  When using client-side deduplication, this determines whether the encryption happens on the client or the server.  When using media-server dedupilcation the dedupe "client" and server are the same machine: the NetBackup media server.  Encryption will still occur, it will just happen before the bits are sent to the dedupe services rather than after.

    Because of this, it's better to use "agent_crypt", regardless of using client-side dedupilcation.

    Both options will encrypt the data after the actual dedupilcation happens, so it will not affect the dedupe rate you'll see for your backups.

  • Setting "agent_crypt" will enable encryption on the client side, while "crypt" will enable encryption on the server side.  When using client-side deduplication, this determines whether the encryption happens on the client or the server.  When using media-server dedupilcation the dedupe "client" and server are the same machine: the NetBackup media server.  Encryption will still occur, it will just happen before the bits are sent to the dedupe services rather than after.

    Because of this, it's better to use "agent_crypt", regardless of using client-side dedupilcation.

    Both options will encrypt the data after the actual dedupilcation happens, so it will not affect the dedupe rate you'll see for your backups.