Forum Discussion

rafanto's avatar
rafanto
Level 5
27 days ago

NBU security questions

Hello,

We have a question, if any expert can give us their opinion:

Is there any advantage to using an ECA (external certified authority) or NBCA (NetBackup Certified authority), are both methods safe? Pros and cons?

And the second issue about encryption, if we have a Flex Appliances, where we can enable encryption at the WORM Storage Server level, is there any need to manage the encryption keys with a KMS, or with an external KMS? at this point we are a little confused

In short, we do not know if the most practical thing is to let NBU automatically manage the certificates (NBCA) and at the data at rest encryption level in the same way. Because if the encryption keys are lost or are not managed correctly, then the data is unrecoverable.

Thanks for your comments.

Greetings

  • If you go through the forum you will see a few golden posts about encryptions and they do have interesting debates .
    for worm storage (I believe you do have flex), go to your worm storage (msdpadm username) and I believe you go to setting >enable encryption.
    ususally KMS you will enable it with tape (you can use it with worm as well) and yes , you need to be careful if you enable it as without it you will not be able to restore the data from tape in a full (DR).
    for the encryption at rest, you do not need a KMS to enable it.


  • My first point is that both options make the security team feel better because check the boxes.

    However, I believe that an external CA is not necessary.
    My recommendation is to use an external key manager if possible. If someone gains access to NetBackup, it's very easy for them to change the keys.

    • rafanto's avatar
      rafanto
      Level 5

      Hello, thank you for your response, but I guess, in the opposite way, if someone gains access to the external key manager, they could change the keys also...

      Our fear is that, with the current Backup tool, encryption keys are handled, and backups are stored on tape, and a few years have passed and the keys have been lost, and we cannot recover the data...