12-14-2011 08:12 PM
You can protect the backup data by giving a password.
Do the following to achieve the same...
1.Open backup exec
2.Select the data to be backed up or edit the job definition
3.Click on devices and media tab
4.Select "Password protect media" option and give the password.
5.Run the job.
When a password-protected media is taken to another location, such as
another media server, the password is required to catalog the tape.\
There is no direct way to prevent a user from restoring the backed up tapes
on the media server.
However, you can delete the existing catalog from the server. In this way, catalog should be run before restore. As the tapes were password protected, password will be required for cataloging the tapes.
1. Create a backup job by specifying password in the "Password protect media", as mentioned in the earlier mail
2. Go to Devices tab > double click the media shown in the upper right pane and compare the Media ID shown with the file name present in the \program files\Veritas\Backup Exec\Catalogs folder. This file is related with the catalog of the tape.
You can delete this file after stopping all Backup Exec services. After deleting this file the backed up data will not be listed in the Restore selections. When the restore is required, you need to run catalog with password specified in the catalog job. Otherwise, the catalog will not run.
Please note that there is no way to restore the data from the tapes without the password, when the tapes are password protected.
Password protect media
Password protect a tape with Backup Exec 9.x and 10.0:
1. Select Device and Media in the left pane of Backup Job Properties
2. In the right pane, select the Password protect media check box
3. Enter a password and click OK (see Figure 4)
4. Submit the job to overwrite media
Note: Appending to a tape with a job that has a Password and Confirm Password defined will not password protect that tape
Important Note: Password protecting a tape is a non-reversible action. If the password is misplaced, the data on the tape will be irretrievable by Backup Exec, without exception. Please exercise great care in password protecting any media.
Password protected media can be erased without requiring the password.
Using Encryption with Backup Exec
Backup Exec provides the ability to encrypt data, which helps us in protecting data from unauthorized access. Backup Exec provide the Software Encryption, but it also supports some devices that provide Hardware Encryption with the T10 standard.
Backup Exec supports two security levels of encryption: 128-bit Advanced Encryption Standard (AES) and 256-bit Advanced Encryption Standard. For 128-bit AES pass phrase must be atleast 8 characters, whereas 256-bit AES pass phrase must be atleast 16 characters. The 256-bit AES encryption provides a stronger level of security because the key is longer for 256-bit AES than for 128-bit AES. However, 128-bit AES encryption enables backup jobs to process more quickly.
When you install Backup Exec, the installation program installs the necessary encryption software on the media server and on remote computers that use the Remote Agent. Backup Exec can encrypt data at a computer that uses the Remote Agent, and then transfer the encrypted data to the media server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to a backup-to-disk folder.
Software compression can be used along with the encryption option. First BE compresses the files, and then encrypts them. However, backup jobs take longer to complete when you use both encryption and software compression.
Configuration:
I followed the first method in the video.
To create an encryption key
Common: Any user of this installation of Backup Exec can use the key to back up and restore data.
Restricted: Anyone can use the key to back up data, but only the key owner or a user who knows the pass phrase can use the key to restore the encrypted data.
Selecting An Encryption Key For A Backup Job:
Hope this article helps...
12-14-2011 10:37 PM
...good enough to be an article, NOT a forum query
I'd suggest you resubmit as an article...good work!
12-14-2011 11:07 PM
BE 9 & 10 are very old versions and would not be of much interest to most of the users in this forum who have moved on. However, using an encryption key to encrypt the data is valid for the newer versions of BE.
01-20-2012 07:11 AM
Thank you for this article!
How safe is an encrypted tape when it falls in wrong hands?
Kind regards,
M. Verkerk
01-20-2012 07:15 AM
...if they don't have the encryption key, it's fairly safe. It won't stop someone trying to crack it though.
01-20-2012 07:57 AM
As an aside for anyone with 9.x 10.x as it was mentioned in the initial post , the password protection with those versions was very basic and could be bypassed in numerous ways - which is why it changed in 11D and upwards to full encryption.
Also if you are planning an upgrade from 9.x or 10.x to later versions, always remove the media passwords from jobs prior to the upgarde and then add encryption settings back in after the upgrade. Failure to do this can result in media with both a password and encryption that can cause problems when it comes to a restore.
01-23-2012 08:10 AM
Thank you both for your reply and the information!
I'm using Backup Exec 12.5 and it is a new installation. So that's must be ok!
Kind regards,
M. Verkerk
12-16-2019 05:46 AM
is there a way to encryp old unencrypted tapes?