Backup Exec Security Blogs

Backup software not only secures and protects your data, but it must also safeguard its own operating data. For Backup Exec, some sensitive data such as logon credentials, device passwords and data encryption keys are persisted in the Backup Exec Database. It is of the utmost importance that these are protected from unauthorized access.

The Backup Exec Database and the database backup file (.bak) are located in a folder under the Backup Exec installation directory which is well protected by operating system ACLs so that unauthorized access is prevented. The restriction on the folder is set such that only Administrators, Backup Operators and System have access to it. However, once the Backup Exec Database or the Database backup file moves off of the Backup Exec server, the access controls cease to exist, which makes that data vulnerable to attacks. It is important that the sensitive contents in the database remain secure even when the ACLs are not protecting it.

Backup Exec 15 has increased the level of security in protecting its database by using an enhanced encryption algorithm. Backup Exec 15 does this by encrypting only the sensitive contents of the Backup Exec Database using AES-256 encryption. This means that only a few selected tables of data are encrypted thereby minimizing any performance impacts to the overall operation of Backup Exec.

In order to overcome the liability of weakness in User supplied passphrases, Backup Exec 15 automatically generates a unique and strong database encryption key (DEK) for each Backup Exec server. The DEK is generated during the installation, so that no user intervention is required. When you upgrade to Backup Exec 15, any sensitive tables will automatically be enabled with encryption.

The encryption keys are located on the Backup Exec server and are well protected using operating system ACLs. Symantec recommends that the DEK is not collocated along with the Backup Exec Database when you perform backups. For this reason, Backup Exec automatically excludes DEK files from being backed up. Instead, Backup Exec 15 provides you with an option to export the DEK to an external storage location such as an USB or a network share. The key can be imported back into the system whenever the Backup Exec Database needs to be recovered from a failure or when migrating to a different Backup Exec server.

Symantec recommends that the DEK be refreshed frequently and secured in an offsite location which is in accordance with your organization's policies.

We hope this is useful information about the Backup Exec database security and welcome your feedback.

1 Comment

Hi,

Is there any powershell command to export the key (and save the path into GUI) via script? I'm planning a big deployment of tens of clients and It would help.

Thanks