Backing up data to tape using Key Management Services (KMS)
Hi,
I am in need of some assistance/ guidance with KMS encryption. Recently, we have configured a test backup job with encryption using Key:
Environment
Netbackup Master Server version: 7.6.0.1
Volume Pool: ENCR_prod
Backup policy: Created 2 test policies, one for backing up policy type "MS-Windows" and the other "NDMP" with different sets of folders. Reason being, we wanted to test KMS capability to back up both normal Windows file shares and CIFS shares via NDMP backup.
To verify the backup images were encrypted, I checked the "Image on Tape" report via NBU Administration Console and I can see that the backed up images were encrypted with a unique key identifier on each tape media (under "Encryption Key Tag" column with 256 bit, 64 characters).
Question
How do we configure the volume pool (if possible) so that any available media can be used between encrypted/non-encrypted backup job? As we have had to defined the volume pool specifically to use "ENCR_xxxx" as part of the KMS backup requirement, we had to manually assign separate media (tape, in our case) just to perform a particular backup selection, hence consuming additional tapes which is not ideal in our situation.
From what I understand Netbackup looks specifically at the volume pool with the prefix "ENCR_xxxx" when the back up job is initiated, and unless there is a tape assigned to the "ENCR_prod" pool in our case, the backup job will fail. Is there an alternate way (using KMS) to share both encrypted and non-encrypted back up jobs?
Any assistance is much appreciated.
Thank you.
- No, it cannot be done. KMS must use a vol pool starting ENCR as you are aware, and, a tape can only belong to one volume pool, so there is no way to write encrypted and non-encrypted backups as the non-encrypted backups would have to use a different pool not starting ENCR. One option, just encrypt all backups, it doesn't 'cost' anything, and since KMS keys can be recreted on another system, you can restore imges on other environments if required. Do not encrypt the catalog backups, use a non encrypted pool for these, and if you backup the encryption keys (hopefully), don't encrypt them for obvious reasons. One tip, when you crate keys, be sure to use the option where you specify the pass phrase, that way, event without the keys backups you can recreate them, obviously, keep the passphrases written down somewhre safe, like a safe.