cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Encryption - Database Enc vs. Job Specific

Go to solution
Cletus9000
Level 4

‎12-08-2015 06:40 AM

From the admin guide, it seems there are two types of encryption, at the global level, the "Backup Exec Database" is encrypted with a key that it seems i have no control over, but that i should backup to a location.

Then i can further encrypt individual backup jobs with a specifc key that i create and is stored, encrypted, in the backup exec database.

My question then is really, if i don't backup the database key, would the only downside be that i would have to recreate credential stuff manually? Is there anything that simply won't work without the original key? I'll backup the the key anyway, but im just curious as to how critical it is to being able to recover/restore jobs.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎12-08-2015 08:06 AM

Database encryption protects the tables that contain security information in your database. The export of the key provide the abiity to access a copy of the database (in full) if you have to rebuild your Backup Exec Server.  One of the tables that the encryption protects is the one containing the Job Specific Encryption Keys. If you do not have a valid BEDB copy, then after a disaster you lose all your tape overwrite protection, job configuration and security settings (login accounst and encryption keys) so would have to recreate all this manually in the event of a disaster (OK some of it you might still get back if you have the BEDB AND NOT the database encryption key, as we don't encrypt 100% of the database.) In theory good documentaion would mean you could recate most of it - although the exact tape overwrite expory cannot be recreated.  BTW don't store your BEDB and encyption key export in an encrypted backup sets as you woudl end up in a security loop of having the security access held inside the security barrier with you outside.

 

Job Specific Encryption keys are used to encrypt the data inside you backup media (they are created using passphrases and stored inside the ecnrypted parts of the BEDB. These keys mean that if anyone steals your tapes they need these keys to restore anything. Passphrases for encryption keys (included historical use of different keys) should be maintained in a secure location just in case something happens to the Backup Exec server (and you do not have a copy of the BEDB and the exported database encryption key) If you have these passphrases you should always be able to recerate them even if you don't have the BEDB. Advice however is of course do not keep the passphrases in the same place as your backup media (tapes etc)

So suggestions to protect for your backup server are:

Store the backup set/ job encryption keys in a firesafe and include details of historical changes to their use. Do not store these keys with any types or other detachable media

Store the export of the BEDB key somewhere safe too (and if being really secure not immediately with the copy of your BEDB)

Take regular copies of your BEDB (and Time Matched Catalogs folder) - these both change every time you run backups

 

 

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎12-08-2015 08:06 AM

Database encryption protects the tables that contain security information in your database. The export of the key provide the abiity to access a copy of the database (in full) if you have to rebuild your Backup Exec Server.  One of the tables that the encryption protects is the one containing the Job Specific Encryption Keys. If you do not have a valid BEDB copy, then after a disaster you lose all your tape overwrite protection, job configuration and security settings (login accounst and encryption keys) so would have to recreate all this manually in the event of a disaster (OK some of it you might still get back if you have the BEDB AND NOT the database encryption key, as we don't encrypt 100% of the database.) In theory good documentaion would mean you could recate most of it - although the exact tape overwrite expory cannot be recreated.  BTW don't store your BEDB and encyption key export in an encrypted backup sets as you woudl end up in a security loop of having the security access held inside the security barrier with you outside.

 

Job Specific Encryption keys are used to encrypt the data inside you backup media (they are created using passphrases and stored inside the ecnrypted parts of the BEDB. These keys mean that if anyone steals your tapes they need these keys to restore anything. Passphrases for encryption keys (included historical use of different keys) should be maintained in a secure location just in case something happens to the Backup Exec server (and you do not have a copy of the BEDB and the exported database encryption key) If you have these passphrases you should always be able to recerate them even if you don't have the BEDB. Advice however is of course do not keep the passphrases in the same place as your backup media (tapes etc)

So suggestions to protect for your backup server are:

Store the backup set/ job encryption keys in a firesafe and include details of historical changes to their use. Do not store these keys with any types or other detachable media

Store the export of the BEDB key somewhere safe too (and if being really secure not immediately with the copy of your BEDB)

Take regular copies of your BEDB (and Time Matched Catalogs folder) - these both change every time you run backups

 

 

0 Kudos