Forum Discussion

CraigV's avatar
CraigV
Moderator
11 years ago
Solved

Hardware or software encryption...?

Hi NBU forum,

 

I've got a client asking for either hardware/software encryption for their tape backups, and the software they use is NBU.

To my mind, I'd go with software encryption, but my questions are as follows:

* Can we use software encryption within NBU without licensing it? If not, what is required?

* What would be preferred best practice for encryption when the software used is NBU?

Thanks!

PS: I've selected NBU 7.5 but not sure of the version. I'm helping someone else out on this one.

7.5
Backup and Recovery
NetBackup
Not Applicable
  • sdo's avatar
    sdo
    11 years ago

    Hi Craig,

    I thoroughly recommend reading this:

    https://support.symantec.com/en_US/article.TECH203420.html

    ...afterwards it will all be very clear.

    I suspect the customer will go with NetBackup KMS, especially if they have LTO physical tape technology.

    HTH.

  • Marianne's avatar
    Marianne
    11 years ago

    Software encryption in NBU does not need additional license - it is included in NBU Standard Client license.

    Our recommendation is normally to go with KMS (hardware) encryption instead.

    Software encryption adds additional load on the client, needs to be configured on each client individually and encryption keys need to be added, maintained, stored for each client.
    It also offers only 56bit encryption.

    Some reading matter:

    NetBackup v7.x Whitepaper - Encryption and Key Management Solutions
    http://www.symantec.com/docs/TECH203420 
    Download the pdf from the 'Attachments' link.

5 Replies

Replies have been turned off for this discussion
  • sdo's avatar
    sdo
    Moderator
    11 years ago

    Hi Craig,

    I thoroughly recommend reading this:

    https://support.symantec.com/en_US/article.TECH203420.html

    ...afterwards it will all be very clear.

    I suspect the customer will go with NetBackup KMS, especially if they have LTO physical tape technology.

    HTH.

  • Marianne's avatar
    Marianne
    Level 6
    11 years ago

    Software encryption in NBU does not need additional license - it is included in NBU Standard Client license.

    Our recommendation is normally to go with KMS (hardware) encryption instead.

    Software encryption adds additional load on the client, needs to be configured on each client individually and encryption keys need to be added, maintained, stored for each client.
    It also offers only 56bit encryption.

    Some reading matter:

    NetBackup v7.x Whitepaper - Encryption and Key Management Solutions
    http://www.symantec.com/docs/TECH203420 
    Download the pdf from the 'Attachments' link.

  • Nicolai's avatar
    Nicolai
    Moderator
    11 years ago

    For tape backup go with KMS

    Client side encryption : weak - 56bit. CPU impact on client

    Media Server encryption : licensed option - complex to configure. Only support tape.

    KMS: included in NBU. Very easy to configure and use. No impact on operation.Transperant when using, encryption/decryption in hardware. Require LTO4 and newer. KMS support other encryption options as well e.g disk (via OST plugin) and cloud

    Tech notes:

    How to install and configure Key Management Service (KMS) encryption on a NetBackup master server

    http://www.symantec.com/docs/TECH67972

    How to verify KMS encrypted the backup

    http://www.symantec.com/docs/TECH127166

  • Kurian08's avatar
    Kurian08
    11 years ago

    But if Customer requires Data Inflight Encryption u need Client side Encryption.

    Data at rest encryption can be provided by KMS

     

  • mph999's avatar
    mph999
    Level 6
    11 years ago

    Other option is MSEO - software encryption at media server.  Needs a license though.