I have a client who would like to encrpt data on tape to secure the data when held off site. As they wish to stage the backup data first to a deduplication folder before (duplicating to tape), they do not want to encrypt on the client as this would zero out any deduplication benefits. Can Backup Exec achieve this in software? or could it only perhaps be achieved by using a hardware encrption (T10) solution and just let Backup Exec manage the encrption keys.
Software enryption would encrypt data on the remote server & data cannot be deduped when encrypted...
Hardware encryption could work in this case as data would be first written to the device & then encrypted....
You can encrypt data with BackupExec 2010 and NOT affect dedupe, very easily. Change the PDCONF file on the client to enable encryption. Simple as changing a 0 to a 1. It's a text file, it's not rocket science to figure out.
The dedupe agent starts streaming the data and encrypting it in flight, the BE agent then sends the data to the media server and stores it to the dedupe folder. deduplicated and encrypted. You can even turn on cocmpression on the client too, to further reduce what is sent over the wire. But note that both compression and encryption cuase higher CPU use on the clients.
Remember you have to enable this in the PDCONF and not in the GUI or policy/job settings. Since the dedupe engine is full integrated into BackupExec, merely bolted on through acquisition.
Later when you duplicate to tape, data is unencrypted, streamed to tape, and LTO4/5 can be used here for tape encryption just fine.