cancel
Showing results for 
Search instead for 
Did you mean: 

Restoring encrypted tape at DR site

Doug_Dockter
Level 4

I'm contemplating encypting my tapes using hardware encryption and the encryption key generated by Backup Exec.  At my DR site I am just guaranteed to have LTO-4 drives (no specific make/model).  If I do a fresh install of Backup Exec at the DR site and then generate an encryption key with the same passphrase that was used to generate the key that was used to backup up the tape, will I be able to restore the tape?  If not, what procdures will I need to put in place to ensure that I can restore the tapes at my DR site?

1 ACCEPTED SOLUTION

Accepted Solutions

pkh
Moderator
Moderator
   VIP    Certified

When you try to restore an encrypted tape in any BE which does not have the encryption key, BE will prompt you for the passphrase.  You just need to enter the correct passphrase and the job will continue.  You can also create the encryption key with the passphrase before the start of the job.  In this case, there will be no prompt since the encryption key is already available to BE.

You can do the following test

1) create a new encryption key using a new passphrase.

2) do a backup using this new encryption key.  You have have multiple encryption keys at the same time and you can have different jobs using different encryption keys.

3) delete the new encryption key

4) try a restore on this system.  This would be equivalent to doing the restore at the DR site.

The above test will not affect your existing jobs and their encryption keys.

View solution in original post

7 REPLIES 7

lmosla
Level 6

You will need to have a backup of the Backup Exec database. The record of the Encryption key is kept in the Backup Exec database.  

Also, if you have a copy of the catalogs folder from after the most recent backup you won't have to recatalog the tapes you are restoring from. 

Here is a helpful discussion on this topic: https://www-secure.symantec.com/connect/forums/how-recover-backup-exec-server-offsite-encrypted-tape...

Doug_Dockter
Level 4

This seems to indicate that you can generate a new encryption key on a new install of Backup Exec using the same passphrase and be able to restore the encrypted tape.

http://www.symantec.com/docs/HOWTO22978

pkh
Moderator
Moderator
   VIP    Certified

When you try to restore an encrypted tape in any BE which does not have the encryption key, BE will prompt you for the passphrase.  You just need to enter the correct passphrase and the job will continue.  You can also create the encryption key with the passphrase before the start of the job.  In this case, there will be no prompt since the encryption key is already available to BE.

You can do the following test

1) create a new encryption key using a new passphrase.

2) do a backup using this new encryption key.  You have have multiple encryption keys at the same time and you can have different jobs using different encryption keys.

3) delete the new encryption key

4) try a restore on this system.  This would be equivalent to doing the restore at the DR site.

The above test will not affect your existing jobs and their encryption keys.

Doug_Dockter
Level 4

I followed the instructions above.  At step #4 I was prompted to recreate the key.  I did that and it allowed me to view the catalog contents.  When I then ran the restore, it failed with the below error.  I can't seem to get past this.  I have LTO-3 drives in a Quantum i40 library.

V-79-57344-33860 - An error occurred while scanning the catalogs. The job will not continue.

Check for the following:

 - low virtual memory conditions

 - a corrupt or truncated catalog

 - that the media you are restoring has not been overwritten

 

Doug_Dockter
Level 4

What I needed to do to get past this was delete the restore selection list.  I had deleted the restore job but not the selection list.

pkh
Moderator
Moderator
   VIP    Certified

Did you managed to get a successful restore.  If not, catalog the tape before running the restore.  The catalog job should be run at the DR site to read the contents of the tape before it can be restored.  I forgot about this step.

Doug_Dockter
Level 4

Yes all is working as you described now.  I appreciate your advice.  It was very helpful!  DR documents have been updated.  And a label with passphrase being put on each encrypted tape smiley ..... not!