Does anyone have a link to a white paper or tech note around Backup Exec 2010 R3 encryption options? The customer I am working with has a requirement from their auditors to encrypt tape backups and they need to do this on the Backup Exec media server as opposed the tape hardware.
They had a specific question around key management and backups of the keys i.e. are the keys themselves backed up? What options are there around protection against the media server failing as if they MS is lost so too would the keys.
Any pointers, advice or black & white info would be great.
You can encrypt at the client level, or in hardware.
Hardware is almost always better. The software encryption suffers from overhead, and will increase CPU load on the clients upwards of 2-4X what it's using now. Hardware has a <1% impact on overall throughput.
Just remember to write down your keys!
It you want to "protect" BE, then make sure that you have the most recent copy of the Data and Catalog directories under the BE installation directory, especially the Data directory where the BEDB resides.
Thank you to both of you.
teiva-boy: can the overhead be found in any documentation, like the BE admin guide? Also, by client-level, I assume you mean media server? As the customer needs to present a business case (swapping from a competitive technology) as well as satify their audit requirements, I need to provide documentation to backup any suggestions I make. Thanks for the tup on the keys! I didn't realise it was such a manual process! I guess that's where NetBackup and the Encryption Option Key Management Server comes handy if NetBackup can be afforded!!
pkh: thanks for the tip; this would be a recommended part of the backup process anyway, but are you saying that the encryption keys are backed up as part of the data/catalog backup?
Protecting the current BEDB can provide a method to rebuild the server with it's keys intact, but you should also keep the keynames and passphrases stored somewhere safe that does not need complex technology to access (oddly enough inside a sealed envelope in a firesafe is often still favorite) as you can regenerate the keys from the passphrases.
Lose both the passphrases and any backups of your bedb and no data recovery is possible.