cancel
Showing results for 
Search instead for 
Did you mean: 

Encryption option on Appliance 5230

Anuj_Kr
Level 4
Partner Accredited

Hi,

I am running with a POC with Appliance 5230 installed as Master/Media with MSDP.

I enable Encryption on appliance: Main_Menu> Settings> Deduplication> Tune Encryption Enable.

Now, how to I ensure that images on pool are encrypted, and how do I test that it is secured with unautorized restore to distinct server/location.

 

I do see some file created under  /disk/databases/catalog/number/client_host_name/policy_name/client-host-name_backup-timestamp_C1_F1.img

should I also have a keys stored somewhere?

1 ACCEPTED SOLUTION

Accepted Solutions

Andrew_Madsen
Level 6
Partner

OK here come the fun times. 

First. 

Get to a root prompt on the appliance. Since you have already said that the dbutil is not located where it is supposed to be I assume you know how to get there. 

Next run /usr/openv/pdde/pdcr/bin/dcscsn -a -h This command will give you all the container headers which contains the container number:

*** Header for container 64 ***

Now run /usr/openv/pdde/pdcr/bin/dcscan --so-data-format <Container number>  and look for something like:

data format    : [Blowfish Encrypted archive 256bit key LZO Compressed 8-byte input vector Streamable, v2, window size 143360 bytes]

If you just turned on encryption none of the previous images will be encrypted. Only backups since encryption was encrypted will be encrypted so you may need to iterate through all of the containers until you find the proper image.

Using dbutil would have made this easier but it appears to be the best I can come up with.  

View solution in original post

11 REPLIES 11

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

The images are encrypted "at rest" in otherwords on disk. If you restore them via NetBackup they will be unencrypted and the data will be available. What you need to ensure is no unauthorized access to the NetBackup system. You can achieve that with NetBackup Access Control.

Anuj_Kr
Level 4
Partner Accredited

Thanks for you input Riaan,

   That mean there is no key concept in this scenario. So in this case, and netbackup client can initiate restore if "NO Restriction" is in place?

    do you also have an idea why the "dbutil" command is missing in my environment (appliance 5230 v2.6.4). I was following symatnec note which says:

"

Use the dbutil command with the data object fingerprint to generate a list of segment objects (SO)
related to the data object fingerprint.
/usr/openv/pdde/pdcr/bin/dbutil –d <data object fingerprint (DO) >

"

 

But I don't see dbutil on said path...

 

BR,

Anuj

Andrew_Madsen
Level 6
Partner

There is a key. It just is not on the client it is on the Media Server that manages the disk pool. When a call is made for the restore the media server unencrypts the data and sends it to the client. The encryption prevents someone breaking into your media server and copying the images to a USB then reading them with some tool that can read backup images.

As for the dbutil tool I believe that was removed in 2.6 since there are no DO and SO objects. Where were you reading about the dbutil tool?

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

Hi,

 

Yes, the data is encrypted when NetBackup puts it on disk, and when NetBackup gives it back to a client its unencrypted. If someone would gain access to the appliance (some how) and scp data from it, that data would be encrypted.

 

Not sure about the dbutil or what its supposed to do.

Anuj_Kr
Level 4
Partner Accredited

Hi Andrew,

   I got a old whitepaper from local symantec presales team which indicates that we can use "dbutil" command to get a list of SO (segment object).

   You said it creates a key, do you its location on appliance?

    Sorry to bother you guys, but I was struggling little hard to prove my customer that data comming to Appliance is encrypted and not only just deduplicated.

 

BR,

Anuj

Anuj_Kr
Level 4
Partner Accredited

Hi Riaan & Andrew... whitepaper sent to you as private message..

Andrew_Madsen
Level 6
Partner

The white paper covers 7.5 / 2.5 and you say you have 2.6.4 so dbutil will not be found on the appliance. 

Andrew_Madsen
Level 6
Partner

OK here come the fun times. 

First. 

Get to a root prompt on the appliance. Since you have already said that the dbutil is not located where it is supposed to be I assume you know how to get there. 

Next run /usr/openv/pdde/pdcr/bin/dcscsn -a -h This command will give you all the container headers which contains the container number:

*** Header for container 64 ***

Now run /usr/openv/pdde/pdcr/bin/dcscan --so-data-format <Container number>  and look for something like:

data format    : [Blowfish Encrypted archive 256bit key LZO Compressed 8-byte input vector Streamable, v2, window size 143360 bytes]

If you just turned on encryption none of the previous images will be encrypted. Only backups since encryption was encrypted will be encrypted so you may need to iterate through all of the containers until you find the proper image.

Using dbutil would have made this easier but it appears to be the best I can come up with.  

sdo
Moderator
Moderator
Partner    VIP    Certified

Thank you Mr M.

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

please review this post for some background and things to keep in mind with enabling encryption.

https://www-secure.symantec.com/connect/forums/encryption-netbackup-and-dedupe-ratio

Anuj_Kr
Level 4
Partner Accredited

Many thanks Andrew & Riaan,,,  I will execute what suggested by Andrew tomorrow morning and will let you guys know how it helps...

 

Thanks again.. much appreciate :)