10-02-2012 09:00 AM
I would like to see the function available to only do encryption on tapes. My understanding from tech support is that to encrypt a duplicate to tape job I must first enable encryption on the deduplication store. The data gets encrypted when backed up to the dedupe store and then the duplicate to tape backs up the encrypted data to tape. I don't need the extra headaches associated with encryption when backing up to disk. At I don't need the data encrypted on the dedupe store. I only need the data encrypted on the tape. I don't want to do backups directly to tape.
My understanding is that this was available functionality in 2010 and was lost during the 2012 rewrite.
10-02-2012 12:39 PM
Hi,
Head to the Ideas section on the link below and add it in as an Idea...your post will be lost here!
https://www-secure.symantec.com/connect/backup-and-recovery/ideas
Thanks!
10-04-2012 04:38 AM
Hi KG99,
Did you actually try doing this? It looks to be working. You can directly enable encryption on Tape for Duplicate Job.
10-04-2012 05:08 AM
Try this -
1. In backup Exec click on the BE Icon on top left -> Configuration and Settings -> Backup Exec Settings -> Network and Security.
2. Setup a Encryption key.
3. Use this key on the Duplicate to Tape Stage.
Also make sure that you dont use Hardware encryption on this as it happens after encryption is performed and can result in data loss
Duplicate Stage to tape -
Main backup Stage to disk or Dedup -
10-04-2012 05:21 AM
Yes. I did try it. That is how I know it doesn't work properly. The encryption of the backup appears to work. The problem is when you attempt a restore.
10-04-2012 05:23 AM
Setting up encryption is fairly simple. The problem is trying to restore from an encrypted tape.
10-04-2012 05:25 AM
I am going to more or less repeate the information I put in your previous post about this, just for completeness.
As far as I am aware if you do not need to encrypt the disk phase of your D2D2T process you don't have to even if you do want to encrypt the tape phase. This is independent of whether the disk phase is to B2D or DeDup.
With regards the problem where tapes encrypted with 2012 cannot be restored from but tapes created with 2010 can be, if you do not have a support case for this already then get one logged and then see if you can get it escalated to a more senior level for review.
One thing I would suggest is do a one off test with a tape you can overwrite, go straight to tape (not a D2D2T scenario) and use a completely different encryption key (so setup a test key using a different passphrase) and test a backup and restore with that.
If you are still running a key that existed before you upgraded I am wondering if something has corrupted the key within the system during the upgrade.
01-10-2013 07:46 AM
UPDATE:
Symantec tech support has confirmed that restoring from an encrypted does not work for my environment at least.
This did work in BE2010R3 which I upgraded from.
Still awaiting resolution from Symantec. Going on 4 months.