Forum Discussion

Dav1234's avatar
Dav1234
Level 5
4 years ago

Key management system for data encryption

Hello Team,

Master : server: Solaris 10

Version: 8.1.1

Media server : netbackup appliances 5330 and 5340

We have one master server and 3 media server (netbackup appliances). we don't have tape library in our infra.

Can we configure KMS to encrypt data on disk pools? I know we can configure over Volume pools but here we don't have tape library.

If yes, can you please share the technote that contain configuration of KMS for netbackup appliances?

If No, then we can encrypt the data i.e. going to disk pools(netbackup appliances)?

 

  • Hi Dav1234 

    What the OPTDUP_ENCRYPTION = 1 setting means is that data segments sent to a different storage server will be encrypted in flight - this adds an additional layer of protection for that data. Note that these segments will remain encrypted when they land in the target MSDP (the fact they were sent implies that the target pool did not contain this data already - remember that the fingerprint is computed and stored on the unencrytped data).

    As to recommended settings - this really depends on your circumstances and requirements around data security. I would suggest that the settings what ever you determine should be consistant across all devices. The additional overhead for encrypting and decrypting each data segment is minimal, so I wouldn't be concerned that you now probably have a mix of encrypted and unencrypted data segments in some disk pools. 

    David

  • Hi Dav1234 

    You most certainly can encrypt your data. However there may be some challenges for you depending on the amount of data you have already protected. I'm assuming here you are referring to MSDP rather than Advanced disk pools. Setting up KMS for MSDP and advanced disk is initially the if you were setting up for tape pools. 

    For Advanced Disk, refer to the ADdvanced Disk Storage Solutions Guide for details.

    For MSDP, encryption is usually configured when you first set up a disk pool and you can optionally choose to use KMS to add further protection to the data. It is possible to enable encryption on an existing disk pool (and here you should refer to the Deduplication Guide for more details - https://www.veritas.com/support/en_US/doc/25074086-127355784-0/v52356307-127355784), but requires you to update some of the MSDP configuration files. You must note though, that once done this will only encrypt new data segments being stored in the pool, there is no way to encrypt existing data in the pool (the only option here is to empty the disk pool and start from scratch - this is the challenge). 

    If you have the space, you could duplicate images from one MSDP to another to allow you to recreate the MSDP from scratch with encryption enabled.

    Cheers
    David

    • Dav1234's avatar
      Dav1234
      Level 5

      Hello David,

      How do we check whether already encryption is configured for disk pools?

      • davidmoline's avatar
        davidmoline
        Level 6

        Ho Dav1234 

        For MSDP look at the properties of the storage server (there are fields for encryption and another for KMS enabled encryption). If they are 1 it means the feature is enabled. 

        For Advanced DIsk I believe the storage server type will show as AdvancedDisk_crypt rather than simply AdvancedDisk.

        David