Forum Discussion

johnwong's avatar
johnwong
Level 3
10 years ago

Backing up data to tape using Key Management Services (KMS)

Hi,

I am in need of some assistance/ guidance with KMS encryption. Recently, we have configured a test backup job with encryption using Key:

 

Environment

Netbackup Master Server version: 7.6.0.1

Volume Pool: ENCR_prod

Backup policy: Created 2 test policies, one for backing up policy type "MS-Windows" and the other "NDMP" with different sets of folders. Reason being, we wanted to test KMS capability to back up both normal Windows file shares and CIFS shares via NDMP backup.

 

To verify the backup images were encrypted, I checked the "Image on Tape" report via NBU Administration Console and I can see that the backed up images were encrypted with a unique key identifier on each tape media (under "Encryption Key Tag" column with 256 bit, 64 characters).

 

Question

How do we configure the volume pool (if possible) so that any available media can be used between encrypted/non-encrypted backup job? As we have had to defined the volume pool specifically to use "ENCR_xxxx" as part of the KMS backup requirement, we had to manually assign separate media (tape, in our case) just to perform a particular backup selection, hence consuming additional tapes which is not ideal in our situation.

From what I understand Netbackup looks specifically at the volume pool with the prefix "ENCR_xxxx" when the back up job is initiated, and unless there is a tape assigned to the "ENCR_prod" pool in our case, the backup job will fail. Is there an alternate way (using KMS) to share both encrypted and non-encrypted back up jobs?

 

Any assistance is much appreciated.

 

Thank you.

  • No, it cannot be done. KMS must use a vol pool starting ENCR as you are aware, and, a tape can only belong to one volume pool, so there is no way to write encrypted and non-encrypted backups as the non-encrypted backups would have to use a different pool not starting ENCR. One option, just encrypt all backups, it doesn't 'cost' anything, and since KMS keys can be recreted on another system, you can restore imges on other environments if required. Do not encrypt the catalog backups, use a non encrypted pool for these, and if you backup the encryption keys (hopefully), don't encrypt them for obvious reasons. One tip, when you crate keys, be sure to use the option where you specify the pass phrase, that way, event without the keys backups you can recreate them, obviously, keep the passphrases written down somewhre safe, like a safe.

6 Replies

  • How do we configure the volume pool (if possible) so that any available media can be used between encrypted/non-encrypted backup job? 

    You can create a Scratch pool and move all unassigned tapes to Scratch.

    Any pool not having available media will draw from Scratch.
    Any tape that originally came from Scratch will be returned to this pool when all images have expired.

  • Agree with Marianne

    Netbackup can without problems, re-use tape previous encrypted, because its the backup image that is encrypted on not magnetic header on the tape.

    Ensure all tapes in the scratch pool are at lest LTO4 tapes. LTO3 and previous has not built-in encryption.

  • Thank you both Marianne and Nicolai for your speedy response. Sorry, I did not make my questio clearer. What I wanted to find out was, is there a way that Netbackup can utilise the same tape to write encrypted and non-encrypted backup jobs before it is ejected from the tape library?

     

    For example, would Netbackup 7.6 be able to perform the following 4 backup policies using the same tape (e.g. ABC123) with mixed policy types and with encrypted and un-encrypted data, assuming that each backup is a "Full" backup job and the total amount of all data would fit onto a single tape?

     

    Media: ABC123

     

    Job#1 

    Client name: Server01A

    Policy Type "Ms-Windows" (Encrypted backup)

     

    Job#2

    Client name: Server01B

    Policy Type "MS-Windows" (Un-encrypted backup)

     

    Job#3

    Client name: Server01A

    Policy Type "Standard" (Encrypted backup)

     

    Job#4

    Client name: Server01B

    Policy Type "Standard" (Un-encrypted backup) 

     

    Clarification, please?

    From what I understand, we would require a minimum of 2 tapes from the example above? One tape to write the encrypted data (Job #1 & Job #3) and another tape to write the un-encrypted data (Job #2 & Job #4) regardless of the policy type because in the "Client Attributes" tab for each backup policy, we need to define a specific "Volume Pool" for the data to be written to.

    For encrypted backup job using KMS, we would need to create a volume pool starting with the prefix "ENCR_xxxx" and for the un-encrypted backup job, we would need to define another volume pool, so that when the backup job is initiated, if it does not see the volume pool with the prefix "ENCR_xxxx" it will not encrypt the data.

    So in short, would it be safe to say that we cannot use a single tape to write encrypted and unencrypted data using KMS method?

  • No, it cannot be done. KMS must use a vol pool starting ENCR as you are aware, and, a tape can only belong to one volume pool, so there is no way to write encrypted and non-encrypted backups as the non-encrypted backups would have to use a different pool not starting ENCR. One option, just encrypt all backups, it doesn't 'cost' anything, and since KMS keys can be recreted on another system, you can restore imges on other environments if required. Do not encrypt the catalog backups, use a non encrypted pool for these, and if you backup the encryption keys (hopefully), don't encrypt them for obvious reasons. One tip, when you crate keys, be sure to use the option where you specify the pass phrase, that way, event without the keys backups you can recreate them, obviously, keep the passphrases written down somewhre safe, like a safe.
  • No, it cannot be done. KMS must use a vol pool starting ENCR as you are aware, and, a tape can only belong to one volume pool, so there is no way to write encrypted and non-encrypted backups as the non-encrypted backups would have to use a different pool not starting ENCR. One option, just encrypt all backups, it doesn't 'cost' anything, and since KMS keys can be recreted on another system, you can restore imges on other environments if required. Do not encrypt the catalog backups, use a non encrypted pool for these, and if you backup the encryption keys (hopefully), don't encrypt them for obvious reasons. One tip, when you crate keys, be sure to use the option where you specify the pass phrase, that way, event without the keys backups you can recreate them, obviously, keep the passphrases written down somewhre safe, like a safe.
  • So in short, would it be safe to say that we cannot use a single tape to write encrypted and unencrypted data using KMS method?

    Yes you are right. A tape can be encrypted or not encrypted but not mixed.