cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Backup Exec 12.5 - security and encryption

Jim_12358
Level 3

‎10-12-2009 12:23 PM

It looks as if encryption is set to 'None' by defaut on Backup Exec 12.5

Should we be using the encryption options ?

What protection is there to be had by default should someone mislay a tape/USB portable disk on the way home from work on the bus or tube if backup media is being taken offsite.

Would any would be perpertrator require the knowledge of any passwords in order to perform any restores from the media if encryption was not in use ?

0 Kudos
5 REPLIES 5

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎10-12-2009 01:03 PM

 Encryption is set to None by default because you can't use it without defining a key using a passphrase. Additionally if you want to use hardware encryption you need the correct (supported) hardware

Without encryption if your tape mislaid and ends up in undesirable hands your data is public - no knowledge of passwords would be needed - unless users have password protected files themselves - and even then it would not take long to access the data.

With encryption - all I can say is don't forget the passphrase and make sure it is in a fire safe - just in case. As even Symantec will not be able to decrypt it
0 Kudos

CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎10-12-2009 01:14 PM

Hi Jim,

Give these a read:

http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-customer_faqs_8-2008_14522949-1.en-us.pdf

http://seer.entsupport.symantec.com/docs/311713.htm - Best practice for Software Encryption

0 Kudos

Jim_12358
Level 3

‎10-13-2009 02:20 PM

So deploying the encryption option is the only avenue available ?

And Colin you are saying that anyone could pick up a USB drive and connect t to a suitable Backup Exec installation and easily restore the contents of the backup archive files ?

..without needing to know any backup administrator account passwords ?
0 Kudos

teiva-boy
Level 6

‎10-13-2009 04:30 PM

 Basically, as Colin mentioned,if you do not enable any software encryption, just about anyone smart enough can read the backup data with little fuss.  Plug it in, restore with BE or even NT Backup, and bam!  All of your data readable.

Using Software encryption, all data is encrypted on the source, sent over the LAN encrypted, and written to disk/tape in an encrypted format.  That would be preferred in your scenario given.

Without the encryption passphrase, the files are useless.  
0 Kudos

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎10-14-2009 01:38 AM

Backup Exec supports a redirect restore - and anyone can download the trialware version of Backup Exec and use it for 60 days

So if someone gets hold of your USB drive or tape and installs Backup Exec somewhere

They can catalog the backup set and then do a redirected restore to wherever they want - thus bypassing any NTFS/Domain Security and leaving the files available to be opened.

Also as has been mentioned in another members response - some types of Backup Exec sets can be read by NTBackup or other company's backup products - so they potentially do not even need Backup Exec.

Encryption forces you to restore with Backup Exec - and requires you to have created/enabled the correct encryption key using a (hopefully long) Passphrase


0 Kudos