cancel
Showing results for 
Search instead for 
Did you mean: 

Backup Exec 2010 R3 encryption options & management

Lance_Williams
Level 3
Partner Accredited

Afternoon All

Does anyone have a link to a white paper or tech note around Backup Exec 2010 R3 encryption options? The customer I am working with has a requirement from their auditors to encrypt tape backups and they need to do this on the Backup Exec media server as opposed the tape hardware.

They had a specific question around key management and backups of the keys i.e. are the keys themselves backed up? What options are there around protection against the media server failing as if they MS is lost so too would the keys.

Any pointers, advice or black & white info would be great.

Thanks

6 REPLIES 6

Lance_Williams
Level 3
Partner Accredited

Is this the best article? What are opinions on media server encryption versus tape drive hardware encryption? Which is better?

http://www.symantec.com/docs/HOWTO22978

teiva-boy
Level 6

You can encrypt at the client level, or in hardware.

Hardware is almost always better.  The software encryption suffers from overhead, and will increase CPU load on the clients upwards of 2-4X what it's using now.  Hardware has a <1% impact on overall throughput.

Just remember to write down your keys!

pkh
Moderator
Moderator
   VIP    Certified

It you want to "protect" BE, then make sure that you have the most recent copy of the Data and Catalog directories under the BE installation directory, especially the Data directory where the BEDB resides.

Lance_Williams
Level 3
Partner Accredited

Thank you to both of you.

teiva-boy: can the overhead be found in any documentation, like the BE admin guide? Also, by client-level, I assume you mean media server? As the customer needs to present a business case (swapping from a competitive technology) as well as satify their audit requirements, I need to provide documentation to backup any suggestions I make. Thanks for the tup on the keys! I didn't realise it was such a manual process! I guess that's where NetBackup and the Encryption Option Key Management Server comes handy if NetBackup can be afforded!!

pkh: thanks for the tip; this would be a recommended part of the backup process anyway, but are you saying that the encryption keys are backed up as part of the data/catalog backup?

Thanks

pkh
Moderator
Moderator
   VIP    Certified

Yes.

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

Protecting the current BEDB can provide a method to rebuild the server with it's keys intact, but you should also keep the keynames and passphrases stored somewhere safe that does not need complex technology to access (oddly enough inside a sealed envelope in a firesafe is often still favorite) as you can regenerate the keys from the passphrases.

Lose both the passphrases and any backups of your bedb and no data recovery is possible.