I've implemented a Backup Exec 15 solution to back up our data (including NDMP, VMs, Domino). We are only doing backup to tape (LTO-5)
It works fine :)
Now my manager asks me if it is possible to encrypt the tapes that we export from the company. We have the following concept :
Friday -> Full Backup
Monday to Thursday -> Differential Backup
So basically I have 2 sub jobs, one for the full, one for the differential backup.
Each week we take the tapes of friday and wednesday to put them in a external safe.
Now what happens if someon steals the tapes ? Well he can easily read the data which is not acceptable :)
The idea is to implement the encryption. I've made some tests, using hardware encryption (T10 compatible drive) and we achieve the same rates than without encryption !
The question is : is it possible / supported to encrypt only the tapes we export. It means Friday and wednesday. For friday I would have to enable encryption for this sub-job, and for wednesday I would create another sub-job which is wednesday dedicated, where I would enable encryption too.
So finally Monday, tuesday and thursday : un-encrypted differential backups
Wednesday : encrypted differential backup
Friday : encrypted full backup
Yes, encryption is configuratble per job. so, some jobs can have encryption and some not. But, as you have discovered, using hardware encryption has almost no performance penalty, so you could use it for everything if that is easier.
Ok, I have a weekly "Windows Server backup" of the server, so it should do the trick. I've tested and I can even extract the BEDB.bak from the DATA folder. In case of crash, I could then restore it from this automatic backup.
If you encrypt the backup containing the bedb.bak then you will still need the passphrase as how will you get the bedb.bak restored without it. So keep records of your passphrases including historical changes in a secure location that is not next to your tapes and/or make sure the bedb.bak is not in an encrypted backup itself - in fact best option for bedb.bak might be as simple as a file copy to a server at another site so that it can be recovered without getting Backup Exec fully operational first
Oh! and if using BE 15 (possibly FP1) be aware that we encrypt parts of the BEDB itself and you will need to ensure you have backups of the keys for this as well.