cancel
Showing results for 
Search instead for 
Did you mean: 

enable duplicate to tape encryption

KG99
Level 2

I would like to see the function available to only do encryption on tapes.  My understanding from tech support is that to encrypt a duplicate to tape job I must first enable encryption on the deduplication store.  The data gets encrypted when backed up to the dedupe store and then the duplicate to tape backs up the encrypted data to tape.  I don't need the extra headaches associated with encryption when backing up to disk.  At I don't need the data encrypted on the dedupe store.  I only need the data encrypted on the tape.  I don't want to do backups directly to tape. 

My understanding is that this was available functionality in 2010 and was lost during the 2012 rewrite.

7 REPLIES 7

CraigV
Moderator
Moderator
Partner    VIP    Accredited

Hi,

 

Head to the Ideas section on the link below and add it in as an Idea...your post will be lost here!

https://www-secure.symantec.com/connect/backup-and-recovery/ideas

Thanks!

Nasharat_Maner
Level 4
Employee

Hi KG99,

Did you actually try doing this? It looks to be working. You can directly enable encryption on Tape for Duplicate Job.

 

Jaydeep_S
Level 6
Employee Accredited Certified

Try this -
1. In backup Exec click on the BE Icon on top left -> Configuration and Settings -> Backup Exec Settings -> Network and Security.
2. Setup a Encryption key.
3. Use this key on the Duplicate to Tape Stage.

Also make sure that you dont use Hardware encryption on this as it happens after encryption is performed and can result in data loss

Duplicate Stage to tape -

 

Main backup Stage to disk or Dedup -

KG99
Level 2

Yes.  I did try it.  That is how I know it doesn't work properly.  The encryption of the backup appears to work.  The problem is when you attempt a restore.

KG99
Level 2

Setting up encryption is fairly simple.  The problem is trying to restore from an encrypted tape.

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

I am going to more or less repeate the information I put in your previous post about this, just for completeness.

As far as I am aware if you do not need to encrypt the disk phase of your D2D2T process you don't have to even if you do want to encrypt the tape phase. This is independent of whether the disk phase is to B2D or DeDup.

With regards the problem where tapes encrypted with 2012 cannot be restored from but tapes created with 2010 can be, if you do not have a support case for this already then get one logged and then see if you can get it escalated to a more senior level for review.

One thing I would suggest is do a one off test with a tape you can overwrite, go straight to tape (not a D2D2T scenario) and use a completely different encryption key (so setup a test key using a different passphrase) and test a backup and restore with that.

If you are still running a key that existed before you upgraded I am wondering if something has corrupted the key within the system during the upgrade.

 

KG99
Level 2

UPDATE:

Symantec tech support has confirmed that restoring from an encrypted does not work for my environment at least. 

This did work in BE2010R3 which I upgraded from.

Still awaiting resolution from Symantec.  Going on 4 months.