Excellent TN with details, screenshots, etc.. etc..:
DOCUMENTATION: More about the NetBackup Encryption Option - detailed demonstration of encrypted backups, restores, disaster recovery and troubleshooting
http://www.symantec.com/docs/TECH56759
Ok - AFAIK the encryption key for NetBackup Client is only ever stored on the client. And so, only clients with the same encryption key can ever be restored to. This will dictate that someone carefull manages and records the use of client side encryption key pass-phrases.
This TN:
https://support.symantec.com/en_US/article.TECH203420.html
...entitled: "NetBackup Encryption and Key Management Solutions", says this about CE (Client Encryption) on page 3:
"CE uses the most recently generated key to encrypt the data, while all keys can be used for restores. A unique identifier, based on the checksum of the encryption key and the specified cipher (e.g., AES256), is stored in the key file and on the tape. NetBackup reads this identifier off the tape during the restore and sends it to the client. The client matches the identifier to the appropriate encryption key and uses the encryption key to decrypt the data. "
This explains the purpose of 'key digest' that you query.
.
As a side note, are you aware that using Client Encryption will mean that:
1) The backup client data will very likely not de-dupe very well against any other clients data - unless they use the same client side pass-phrase/key.
2) Any backups, or duplications, from this client to tape will not compress at the tape head - and so, if the use of client side encryption is widespread, and you backup or duplicate to tape, then your tape media consumption could increase by anything from 30% to 100%.
3) There are also implications for increased LAN and/or WAN network bandwidth utilisation for any use of NetBackup AIR to replicate the client's backup data.
