cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Hardware encryption

Go to solution
Alex_Zn
Level 6
Partner Accredited

‎05-10-2012 12:08 AM

I need to setup hardware encryption on msl2024, in HP document i see the procedure of creation key tokens, and all key management are performed through library. But in BE admin guide i see that it possible to setup key management through Backup Exec.

1. What steps do i need to correctly setup encryption ?

2. If i will enable encryption on Library do i need some workaround on BE server ?

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
teiva-boy
Level 6

‎05-10-2012 01:30 AM

If it's a supported tape unit with encryption, you can setup the keys within BackupExec, and it will toggle the encryption key upon writing data, and pass the key to it for the encryption engine.

Alternatively, you do not have to use BackupExec at all.  You can enter the key in the library console and do all key management that way.  This way is almost fool proof, though more cumbersome.

The BackupExec method is easier to manage, but again, it has to be a tested and supported library, which most HP MSL units are...

 

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
pkh
Moderator
Moderator
   VIP    Certified

‎05-10-2012 01:13 AM

1) check that your tape drive supports hardware encryption. LTO4 and LTO5 does, but not LTO3 and below.

2) go to Tools --> Options ---> Network and Security to setup your encryption keys.  Make sure that you remember your passphrase.  Once the data is encrypted, you cannot decrypt the data without the passphrase and there is no way to retrieve a lost passphrase.

3) In your job properties, under Network and Security, select the encryption key to use to encrypt the data and specify hardware encryption.

0 Kudos

Go to solution
teiva-boy
Level 6

‎05-10-2012 01:30 AM

If it's a supported tape unit with encryption, you can setup the keys within BackupExec, and it will toggle the encryption key upon writing data, and pass the key to it for the encryption engine.

Alternatively, you do not have to use BackupExec at all.  You can enter the key in the library console and do all key management that way.  This way is almost fool proof, though more cumbersome.

The BackupExec method is easier to manage, but again, it has to be a tested and supported library, which most HP MSL units are...

 

0 Kudos

Go to solution
Alex_Zn
Level 6
Partner Accredited

‎05-10-2012 02:16 AM

Do i need constantly keep attached key token to perform backup/restore opperations ? Or i need it just for restore ?

In vendor documentation i see that a keys need for read but not for write.

0 Kudos

Go to solution
pkh
Moderator
Moderator
   VIP    Certified

‎05-10-2012 09:27 PM

When you use the library's key management function, you are responsible for decrypting the tape before the data is passed to BE.  BE will not know that the tape is encrypted.  When you use the encrypted tape on another tape drive/library, that device must be capable to decrypting the tape before it can be used by BE.

If you use the BE encryption feature and you use the encrypted tape on another tape drive/library or another media server, you would be prompted for the BE encryption pass phrase if it is not present.

0 Kudos