Good evening Connect community
I have just been in a long discussion with a customer around ways to achieve the following:
Initially I suggested Backup Exec + Dedupe Option (at both primary and DR site) + CASO to satisfy efficient backup to a disk-based backup setup, plus deliver the ability to replicate the backup set (via optimised duplication) to the DR site. What I didn't realise is that media server encryption and deduplication are not compatible... we've gone around the houses with options:
After discussing for a long while, the 3rd option, backing up to a disk target that has PGP whole disk encryption running seems the preference but I have no experience of this in practice and neither does anyone on Symantec pre-sales.
Your thoughts and suggestions are very, very welcome!!
Symantec Pre-sales should have mentioned as others here, there is encryption you can enable with BackupExec by itself via the GUI for normal backups.
If using deduplication, just enable the encryption flag in the PDCONF file on any client that needs it, or within the media server.
You choose one or the other, not both! The RAWS agent would encrypt the data, before the dedupe process got to it. Thus no deduplication if the GUI encryption was enabled.
You can replicate the dedupe store to another BackupExec server through a duplicate job and CASO. Again, you can turn on the encryption flag in the PDCONF file. Though, data in flight I believe is encrypted by default, it's just whats written to disk can be turned on or off.
Note, this isn't true managable encryption like PGP offers, native BE client encryption, or LTO4 encrpytion; as there is no KMS (Kkey Management server). It's either on or off, with no key to manage. So depending on the business requirements, it may or may not satisfy the compliance rules/laws/regulations that the business follows.