04-05-2015 03:16 PM
Hi,
I am running with a POC with Appliance 5230 installed as Master/Media with MSDP.
I enable Encryption on appliance: Main_Menu> Settings> Deduplication> Tune Encryption Enable.
Now, how to I ensure that images on pool are encrypted, and how do I test that it is secured with unautorized restore to distinct server/location.
I do see some file created under /disk/databases/catalog/number/client_host_name/policy_name/client-host-name_backup-timestamp_C1_F1.img
should I also have a keys stored somewhere?
Solved! Go to Solution.
04-06-2015 02:00 PM
OK here come the fun times.
First.
Get to a root prompt on the appliance. Since you have already said that the dbutil is not located where it is supposed to be I assume you know how to get there.
Next run /usr/openv/pdde/pdcr/bin/dcscsn -a -h This command will give you all the container headers which contains the container number:
*** Header for container 64 ***
Now run /usr/openv/pdde/pdcr/bin/dcscan --so-data-format <Container number> and look for something like:
data format : [Blowfish Encrypted archive 256bit key LZO Compressed 8-byte input vector Streamable, v2, window size 143360 bytes]
If you just turned on encryption none of the previous images will be encrypted. Only backups since encryption was encrypted will be encrypted so you may need to iterate through all of the containers until you find the proper image.
Using dbutil would have made this easier but it appears to be the best I can come up with.
04-05-2015 08:52 PM
The images are encrypted "at rest" in otherwords on disk. If you restore them via NetBackup they will be unencrypted and the data will be available. What you need to ensure is no unauthorized access to the NetBackup system. You can achieve that with NetBackup Access Control.
04-06-2015 01:12 AM
Thanks for you input Riaan,
That mean there is no key concept in this scenario. So in this case, and netbackup client can initiate restore if "NO Restriction" is in place?
do you also have an idea why the "dbutil" command is missing in my environment (appliance 5230 v2.6.4). I was following symatnec note which says:
"
Use the dbutil command with the data object fingerprint to generate a list of segment objects (SO)
related to the data object fingerprint.
/usr/openv/pdde/pdcr/bin/dbutil –d <data object fingerprint (DO) >
"
But I don't see dbutil on said path...
BR,
Anuj
04-06-2015 03:02 AM
There is a key. It just is not on the client it is on the Media Server that manages the disk pool. When a call is made for the restore the media server unencrypts the data and sends it to the client. The encryption prevents someone breaking into your media server and copying the images to a USB then reading them with some tool that can read backup images.
As for the dbutil tool I believe that was removed in 2.6 since there are no DO and SO objects. Where were you reading about the dbutil tool?
04-06-2015 03:32 AM
Hi,
Yes, the data is encrypted when NetBackup puts it on disk, and when NetBackup gives it back to a client its unencrypted. If someone would gain access to the appliance (some how) and scp data from it, that data would be encrypted.
Not sure about the dbutil or what its supposed to do.
04-06-2015 07:48 AM
Hi Andrew,
I got a old whitepaper from local symantec presales team which indicates that we can use "dbutil" command to get a list of SO (segment object).
You said it creates a key, do you its location on appliance?
Sorry to bother you guys, but I was struggling little hard to prove my customer that data comming to Appliance is encrypted and not only just deduplicated.
BR,
Anuj
04-06-2015 07:50 AM
Hi Riaan & Andrew... whitepaper sent to you as private message..
04-06-2015 08:18 AM
The white paper covers 7.5 / 2.5 and you say you have 2.6.4 so dbutil will not be found on the appliance.
04-06-2015 02:00 PM
OK here come the fun times.
First.
Get to a root prompt on the appliance. Since you have already said that the dbutil is not located where it is supposed to be I assume you know how to get there.
Next run /usr/openv/pdde/pdcr/bin/dcscsn -a -h This command will give you all the container headers which contains the container number:
*** Header for container 64 ***
Now run /usr/openv/pdde/pdcr/bin/dcscan --so-data-format <Container number> and look for something like:
data format : [Blowfish Encrypted archive 256bit key LZO Compressed 8-byte input vector Streamable, v2, window size 143360 bytes]
If you just turned on encryption none of the previous images will be encrypted. Only backups since encryption was encrypted will be encrypted so you may need to iterate through all of the containers until you find the proper image.
Using dbutil would have made this easier but it appears to be the best I can come up with.
04-06-2015 02:06 PM
Thank you Mr M.
04-07-2015 04:25 AM
please review this post for some background and things to keep in mind with enabling encryption.
https://www-secure.symantec.com/connect/forums/encryption-netbackup-and-dedupe-ratio
04-07-2015 01:51 PM
Many thanks Andrew & Riaan,,, I will execute what suggested by Andrew tomorrow morning and will let you guys know how it helps...
Thanks again.. much appreciate :)