cancel
Showing results for 
Search instead for 
Did you mean: 

Restoring encrypted tape at DR site

I'm contemplating encypting my tapes using hardware encryption and the encryption key generated by Backup Exec.  At my DR site I am just guaranteed to have LTO-4 drives (no specific make/model).  If I do a fresh install of Backup Exec at the DR site and then generate an encryption key with the same passphrase that was used to generate the key that was used to backup up the tape, will I be able to restore the tape?  If not, what procdures will I need to put in place to ensure that I can restore the tapes at my DR site?

1 Solution

Accepted Solutions
Accepted Solution!

When you try to restore an

When you try to restore an encrypted tape in any BE which does not have the encryption key, BE will prompt you for the passphrase.  You just need to enter the correct passphrase and the job will continue.  You can also create the encryption key with the passphrase before the start of the job.  In this case, there will be no prompt since the encryption key is already available to BE.

You can do the following test

1) create a new encryption key using a new passphrase.

2) do a backup using this new encryption key.  You have have multiple encryption keys at the same time and you can have different jobs using different encryption keys.

3) delete the new encryption key

4) try a restore on this system.  This would be equivalent to doing the restore at the DR site.

The above test will not affect your existing jobs and their encryption keys.

View solution in original post

7 Replies

You will need to have a

You will need to have a backup of the Backup Exec database. The record of the Encryption key is kept in the Backup Exec database.  

Also, if you have a copy of the catalogs folder from after the most recent backup you won't have to recatalog the tapes you are restoring from. 

Here is a helpful discussion on this topic: https://www-secure.symantec.com/connect/forums/how-recover-backup-exec-server-offsite-encrypted-tape...

This seems to indicate that

This seems to indicate that you can generate a new encryption key on a new install of Backup Exec using the same passphrase and be able to restore the encrypted tape.

http://www.symantec.com/docs/HOWTO22978

Accepted Solution!

When you try to restore an

When you try to restore an encrypted tape in any BE which does not have the encryption key, BE will prompt you for the passphrase.  You just need to enter the correct passphrase and the job will continue.  You can also create the encryption key with the passphrase before the start of the job.  In this case, there will be no prompt since the encryption key is already available to BE.

You can do the following test

1) create a new encryption key using a new passphrase.

2) do a backup using this new encryption key.  You have have multiple encryption keys at the same time and you can have different jobs using different encryption keys.

3) delete the new encryption key

4) try a restore on this system.  This would be equivalent to doing the restore at the DR site.

The above test will not affect your existing jobs and their encryption keys.

View solution in original post

I followed the instructions

I followed the instructions above.  At step #4 I was prompted to recreate the key.  I did that and it allowed me to view the catalog contents.  When I then ran the restore, it failed with the below error.  I can't seem to get past this.  I have LTO-3 drives in a Quantum i40 library.

V-79-57344-33860 - An error occurred while scanning the catalogs. The job will not continue.

Check for the following:

 - low virtual memory conditions

 - a corrupt or truncated catalog

 - that the media you are restoring has not been overwritten

 

What I needed to do to get

What I needed to do to get past this was delete the restore selection list.  I had deleted the restore job but not the selection list.

Did you managed to get a

Did you managed to get a successful restore.  If not, catalog the tape before running the restore.  The catalog job should be run at the DR site to read the contents of the tape before it can be restored.  I forgot about this step.

Yes all is working as you

Yes all is working as you described now.  I appreciate your advice.  It was very helpful!  DR documents have been updated.  And a label with passphrase being put on each encrypted tape smiley ..... not!