Showing results for 
Search instead for 
Did you mean: 

Backup Exec backing up to a PGP whole disk protected target & then replicating to a DR site!

Level 3
Partner Accredited

Good evening Connect community

I have just been in a long discussion with a customer around ways to achieve the following:

  • Backup using Backup Exec 2010 R3
  • Encrypt the backup to disk (no tape anywhere in the solution)
  • Replicate the backup sets to a DR site

Initially I suggested Backup Exec + Dedupe Option (at both primary and DR site) + CASO to satisfy efficient backup to a disk-based backup setup, plus deliver the ability to replicate the backup set (via optimised duplication) to the DR site. What I didn't realise is that media server encryption and deduplication are not compatible... we've gone around the houses with options:

  • Encrypt using Backup Exec, then replicate using a 3rd party tool like Doubletake
  • Don't bother with encryption as the dedupe data on the hard disks means nothing without the catalog
  • Encrypt the disk backup target using PGP whole disk encryption

After discussing for a long while, the 3rd option, backing up to a disk target that has PGP whole disk encryption running seems the preference but I have no experience of this in practice and neither does anyone on Symantec pre-sales.

Your thoughts and suggestions are very, very welcome!!



Level 6
Employee Accredited Certified

never come across this. though did find a KB article written by the PGP folks...

Backup PGP Whole Disk Encrypted Systems -

   VIP    Certified

A better option is to enable compression and encryption in the dedup folder using the dedup engine.  See the documents below

Level 5
Employee Accredited

In 2010 R3, the dedupe store has compression enabled by default.

To enable encryption, follow this doc:

This will encrypt the data on disk and during opt-dupe.

Level 6

Symantec Pre-sales should have mentioned as others here, there is encryption you can enable with BackupExec by itself via the GUI for normal backups.

If using deduplication, just enable the encryption flag in the PDCONF file on any client that needs it, or within the media server.  

You choose one or the other, not both!  The RAWS agent would encrypt the data, before the dedupe process got to it.  Thus no deduplication if the GUI encryption was enabled.

You can replicate the dedupe store to another BackupExec server through a duplicate job and CASO.  Again, you can turn on the encryption flag in the PDCONF file.  Though, data in flight I believe is encrypted by default, it's just whats written to disk can be turned on or off.

Note, this isn't true managable encryption like PGP offers, native BE client encryption, or LTO4 encrpytion; as there is no KMS (Kkey Management server).  It's either on or off, with no key to manage.  So depending on the business requirements, it may or may not satisfy the compliance rules/laws/regulations that the business follows.