Forum Discussion

Level 4

9 years ago

Encryption - Database Enc vs. Job Specific

From the admin guide, it seems there are two types of encryption, at the global level, the "Backup Exec Database" is encrypted with a key that it seems i have no control over, but that i should backu...

Backup and Recovery

Backup Exec

Windows Server (2003-2008)

Colin_Weaver
9 years ago
Database encryption protects the tables that contain security information in your database. The export of the key provide the abiity to access a copy of the database (in full) if you have to rebuild your Backup Exec Server. One of the tables that the encryption protects is the one containing the Job Specific Encryption Keys. If you do not have a valid BEDB copy, then after a disaster you lose all your tape overwrite protection, job configuration and security settings (login accounst and encryption keys) so would have to recreate all this manually in the event of a disaster (OK some of it you might still get back if you have the BEDB AND NOT the database encryption key, as we don't encrypt 100% of the database.) In theory good documentaion would mean you could recate most of it - although the exact tape overwrite expory cannot be recreated. BTW don't store your BEDB and encyption key export in an encrypted backup sets as you woudl end up in a security loop of having the security access held inside the security barrier with you outside.

Job Specific Encryption keys are used to encrypt the data inside you backup media (they are created using passphrases and stored inside the ecnrypted parts of the BEDB. These keys mean that if anyone steals your tapes they need these keys to restore anything. Passphrases for encryption keys (included historical use of different keys) should be maintained in a secure location just in case something happens to the Backup Exec server (and you do not have a copy of the BEDB and the exported database encryption key) If you have these passphrases you should always be able to recerate them even if you don't have the BEDB. Advice however is of course do not keep the passphrases in the same place as your backup media (tapes etc)

So suggestions to protect for your backup server are:

Store the backup set/ job encryption keys in a firesafe and include details of historical changes to their use. Do not store these keys with any types or other detachable media

Store the export of the BEDB key somewhere safe too (and if being really secure not immediately with the copy of your BEDB)

Take regular copies of your BEDB (and Time Matched Catalogs folder) - these both change every time you run backups

Colin_Weaver

Moderator

9 years ago

Database encryption protects the tables that contain security information in your database. The export of the key provide the abiity to access a copy of the database (in full) if you have to rebuild your Backup Exec Server. One of the tables that the encryption protects is the one containing the Job Specific Encryption Keys. If you do not have a valid BEDB copy, then after a disaster you lose all your tape overwrite protection, job configuration and security settings (login accounst and encryption keys) so would have to recreate all this manually in the event of a disaster (OK some of it you might still get back if you have the BEDB AND NOT the database encryption key, as we don't encrypt 100% of the database.) In theory good documentaion would mean you could recate most of it - although the exact tape overwrite expory cannot be recreated. BTW don't store your BEDB and encyption key export in an encrypted backup sets as you woudl end up in a security loop of having the security access held inside the security barrier with you outside.

Job Specific Encryption keys are used to encrypt the data inside you backup media (they are created using passphrases and stored inside the ecnrypted parts of the BEDB. These keys mean that if anyone steals your tapes they need these keys to restore anything. Passphrases for encryption keys (included historical use of different keys) should be maintained in a secure location just in case something happens to the Backup Exec server (and you do not have a copy of the BEDB and the exported database encryption key) If you have these passphrases you should always be able to recerate them even if you don't have the BEDB. Advice however is of course do not keep the passphrases in the same place as your backup media (tapes etc)

So suggestions to protect for your backup server are:

Store the backup set/ job encryption keys in a firesafe and include details of historical changes to their use. Do not store these keys with any types or other detachable media

Store the export of the BEDB key somewhere safe too (and if being really secure not immediately with the copy of your BEDB)

Take regular copies of your BEDB (and Time Matched Catalogs folder) - these both change every time you run backups

Forum Discussion

Encryption - Database Enc vs. Job Specific

Related Content

Restore encrypted SQL database on another server

Key Management Service (KMS) encryption

configure NetBackup Client Encryption Option

Encrypt Oracle RMAN Backup with NetBackup

Restore previous database encryption key

Recent Discussions

Backup Exec Job got canceled

BackupExec for Oracle 23ai?

Add Oracle DB in Backup Exec

Veritas Backup Exec version upgrade & migrate to another new Server

Veritas Backup Exec 23 - Slow Backup after Windows server 2019 upgrade