Replace encryption key

dbuzzb · ‎07-09-2018

If I REPLACE the current encryption key on all jobs in Backup Exec 2014, will I be able to restore data from jobs previously run under the old encryption key?

Thank you

Gurvinder · ‎07-09-2018

The old ones would require earlier pass phrase.

dbuzzb · ‎07-09-2018

Thank you, Gurv.

So to be clear,I can replace the encryption key and just keep the old passphrase for older restores. And the same thing I I create a new encryption key - just don't delete the old one?

Gurvinder · ‎07-09-2018

Yes. You can restores sets with the pass phrase used with respective backups.

dbuzzb · ‎07-09-2018

Thank you for the quick responses Gurv.

Have you done this (replace keys, use old passphrases) in a production environment?

Gurvinder · ‎07-09-2018

Have seen customers use different pass phrase for different backup jobs. The pass phrase is the key used to encrypt the data and that same pass phrase will be needed during restore when data is being decrypted to restore.

You can test it out as well

Colin_Weaver · ‎07-09-2018

If you either use multiple encryption keys or periodically change encryption keys (or both) then please make sure you keep accurate records of which encryption keys were used with which jobs and/or on what date ranges they were in use. As when it comes to a restore you will need the specific key used on the specific date (or specific instance of the job)

Obviously if you have added new keys and just stopped using the old ones (but not deleted them) then this makes restores easier, but you do have to protect for loss of the BE server (or an admin accidentally deleting old keys) when needing to do restores.

Also note that encryption keys have 3 attributes, 2 of which are important for your records.

- Name of key: not critically important but helps you organize your records
- Passphrase: very important
- Encryption key type (bit level) : very important.

VOX

Replace encryption key