12-07-2011 08:33 AM
Good evening Connect community
I have just been in a long discussion with a customer around ways to achieve the following:
Initially I suggested Backup Exec + Dedupe Option (at both primary and DR site) + CASO to satisfy efficient backup to a disk-based backup setup, plus deliver the ability to replicate the backup set (via optimised duplication) to the DR site. What I didn't realise is that media server encryption and deduplication are not compatible... we've gone around the houses with options:
After discussing for a long while, the 3rd option, backing up to a disk target that has PGP whole disk encryption running seems the preference but I have no experience of this in practice and neither does anyone on Symantec pre-sales.
Your thoughts and suggestions are very, very welcome!!
Lance
12-07-2011 08:53 AM
never come across this. though did find a KB article written by the PGP folks...
Backup PGP Whole Disk Encrypted Systems - http://www.symantec.com/docs/TECH149281
12-07-2011 05:47 PM
A better option is to enable compression and encryption in the dedup folder using the dedup engine. See the documents below
12-07-2011 06:08 PM
In 2010 R3, the dedupe store has compression enabled by default.
To enable encryption, follow this doc: http://www.symantec.com/docs/TECH124682
This will encrypt the data on disk and during opt-dupe.
01-18-2012 11:38 AM
Symantec Pre-sales should have mentioned as others here, there is encryption you can enable with BackupExec by itself via the GUI for normal backups.
If using deduplication, just enable the encryption flag in the PDCONF file on any client that needs it, or within the media server.
You choose one or the other, not both! The RAWS agent would encrypt the data, before the dedupe process got to it. Thus no deduplication if the GUI encryption was enabled.
You can replicate the dedupe store to another BackupExec server through a duplicate job and CASO. Again, you can turn on the encryption flag in the PDCONF file. Though, data in flight I believe is encrypted by default, it's just whats written to disk can be turned on or off.
Note, this isn't true managable encryption like PGP offers, native BE client encryption, or LTO4 encrpytion; as there is no KMS (Kkey Management server). It's either on or off, with no key to manage. So depending on the business requirements, it may or may not satisfy the compliance rules/laws/regulations that the business follows.