cancel
Showing results for 
Search instead for 
Did you mean: 

Question about Backup Exec encryption

s90
Level 2

Hello,

I've implemented a Backup Exec 15 solution to back up our data (including NDMP, VMs, Domino). We are only doing backup to tape (LTO-5)

It works fine :)
 

Now my manager asks me if it is possible to encrypt the tapes that we export from the company. We have the following concept :

Friday -> Full Backup

Monday to Thursday -> Differential Backup

So basically I have 2 sub jobs, one for the full, one for the differential backup.

Each week we take the tapes of friday and wednesday to put them in a external safe.

Now what happens if someon steals the tapes ? Well he can easily read the data which is not acceptable :)

The idea is to implement the encryption. I've made some tests, using hardware encryption (T10 compatible drive) and we achieve the same rates than without encryption !

The question is : is it possible / supported to encrypt only the tapes we export. It means Friday and wednesday. For friday I would have to enable encryption for this sub-job, and for wednesday I would create another sub-job which is wednesday dedicated, where I would enable encryption too.

So finally Monday, tuesday and thursday : un-encrypted differential backups

Wednesday : encrypted differential backup

Friday : encrypted full backup

Thank you

5 REPLIES 5

Larry_Fine
Moderator
Moderator
   VIP   

Yes, encryption is configuratble per job.  so, some jobs can have encryption and some not.  But, as you have discovered, using hardware encryption has almost no performance penalty, so you could use it for everything if that is easier.

s90
Level 2

Thank you Larry,

Assuming a server room crash, if we Install a brand new BE server, is the passphrase the only thing necessary to then catalog / restore data from our tapes ?

Thank you

VJware
Level 6
Employee Accredited Certified

Having a copy of the BEDB is beneficial as it stores the encryption keys. If this isn't available, then using the original passphrase you can recreate the keys and restore the data.
 

s90
Level 2

Ok, I have a weekly "Windows Server backup" of the server, so it should do the trick. I've tested and I can even extract the BEDB.bak from the DATA folder. In case of crash, I could then restore it from this automatic backup.

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

If you encrypt the backup containing the bedb.bak then you will still need the passphrase as how will you get the bedb.bak restored without it. So keep records of your passphrases including historical changes in a secure location that is not next to your tapes and/or make sure the bedb.bak is not in an encrypted backup itself - in fact best option for bedb.bak might be as simple as a file copy to a server at another site so that it can be recovered without getting Backup Exec fully operational first

 

Oh! and if using BE 15 (possibly FP1) be aware that we encrypt parts of the BEDB itself and you will need to ensure you have backups of the keys for this as well.