cancel
Showing results for 
Search instead for 
Did you mean: 

Recommended Encryption option for NBU Appliance??

Tape_Archived
Moderator
Moderator
   VIP   

I think we have two options available to enable encryption on Netbackup Appliance 5240. I am using 5240 as media server.

1. Local Encryption provided by appliance itself - Manage > Host > Deduplication > Encryption - Enable

2. Use KMS to create a Key on appliance media server and backup will be encrypted using the key & controlled by Master Server

Which option is recommended or you prefer?? Please share the pros and cons of either option with respect to performance and dedupe rate. Please share your experience if you had to opt-out KMS or Appliance Encryption.

3 ACCEPTED SOLUTIONS

Accepted Solutions

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

@Tape_Archived

You are correct - there is very little activity here from knowledgeable Appliance experts.

I will add my 2c with the following disclaimers:
1. I am not an Appliance expert
2. I am not an Encryption expert and have never been ask to assist with configuration.

IMHO - KMS is used for tape drives (LTO4 or later). So, if the customer has a requirement to have tapes encrypted, then KMS needs to be configured. 
There is short section in Appliance Security Guide:
https://www.veritas.com/content/support/en_US/doc/96220900-127024912-0/v97514945-127024912

As far as MSDP encryption is concerned, it will again come down to customer requirements - 'in flight' and/or 'at rest'. 

For 'in flight' encryption, I would look at this section in the Dedupe Guide: 
“To configure backup encryption on all client-side deduplication clients”.

If only 'at rest' MSDP encryption is required, I would look at :
“To configure backup encryption on a single host”.
Or no 1 in your opening post:
1. Local Encryption provided by appliance itself - Manage > Host > Deduplication > Encryption - Enable

HTH

View solution in original post

Tape_Archived
Moderator
Moderator
   VIP   

Thanks for sharing the encryption details @Marianne

I ended up working with Support and gained significant details on the appliance encryption. Looks like KMS is better option with more control over keys and supports encryption standards. Also, Veritas seems more inclined towards KMS. 

The local encryption (at rest) on the appliance is AES-256 bit and it's totally managed by appliance itself without any control to the Admin - https://www.veritas.com/content/support/en_US/doc/25074086-130388296-0/v95643059-130388296 

3.1.1 onwards NetBackup Appliance FIPS compliant but read if's & but's before enabling it - https://www.veritas.com/content/support/en_US/doc/25074086-130388296-0/v130212944-130388296

View solution in original post

sdo
Moderator
Moderator
Partner    VIP    Certified

NetBackup KMS has two methods to generate the encryption keys.  1) randomly, or 2) from pass-phrases.

If you use method 1) then if you loose the KMS database then all encrypted backup data is permanently lost forever.  If you use this method then you *must* backup/copy/save your KMS database to an alternate (offsite too?) location.

If you use method 2) then if you loose the KMS database then you can re-create the encryption keys from the pass phrases - assuming you saved the pass-phrases somewhere (offsite too?).  Also, note how if you use this method then you do not need to backup and copy your KMS database - because you can always re-create the KMS database from the pass-phrases - so you *must* save your pass-phrases somewhere.

See Martin's @mph999 recommendation here:

https://vox.veritas.com/t5/NetBackup/How-to-provide-our-own-keys-for-KMS-to-encrypt-data-rather-usin...

.

I recommend method 2 above.

.

So - how can you keep the (three) pass-phrases safe and secret and re-usable in a DR situation?

...my recommendaton - get some tools and get punching... you will need:

1) at least six long-ish narrow-ish thin-ish strips of metal - that you will turn in to dog-tags

2) a set of letter/number punches, upper case A to Z, and numbers 0 to 9

3) one hammer

4) one pair of safety glasses / goggles / squints

5) one drill plus a (10mm?) metal drill-bit

6) two key chain rings / holders

7) two good safes - one for local storage, one for DR storage

.

Procedue:

1) generate three random character pass-phrases, each of at least 32 characters

N.B: do *not* use 0 and O, do *not* use I and 1, do *not* use 5 and S - i.e. remove either 0 1 5 from your pass phrases - or remove O I S from your pass-phrases

(I can supply a VBscript, if you want, that can generate the random pass-phrases)

2) temporarily make a note of these pass phrases on paper

3) configure KMS from the pass-phrases, and test

4) test loss of KMS database, and re-creation of keys from pass-phrases, and test restore of previously encrypted backup data

...you now know that your phrases and process are good, so now save the pass-phrases as permanently as you can, as follows...

5) "engage safety squints" - I mean put your safety glasses / goggles on

6) punch the three phrases in to the metal strips - make two sets of three (hence six strips of metal)

7) drill a hole into each metal strip

8) attach the strips to the rings to create two sets

9) get someone else to verify that the punched pass-phrases match your written notes

10) burn, or eat, your noted pass-phrases

11) store one set of punched pass-phrases in your local safe

12) store one set of punched pass-phrases in your DR safe

13) (there is no step 13)

14) it might be a good idea to now re-test using the punched pass-phrases

.

Overkill?  Really?  Proper peace of mind for a few $ and few hours effort.  But admittedly the safes might cost a bit.  Anyway, in five / ten years time, hopefully it will never happen, but maybe your colleagues/boss/CIO will be thanking you.

.

HTH.

good luck.

View solution in original post

15 REPLIES 15

Tape_Archived
Moderator
Moderator
   VIP   

It seems NBU Appliance forum is not followed by many of the VOX community members, they tend to look at the NetBackup forum even for appliance related questions or issue.

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

@Tape_Archived

You are correct - there is very little activity here from knowledgeable Appliance experts.

I will add my 2c with the following disclaimers:
1. I am not an Appliance expert
2. I am not an Encryption expert and have never been ask to assist with configuration.

IMHO - KMS is used for tape drives (LTO4 or later). So, if the customer has a requirement to have tapes encrypted, then KMS needs to be configured. 
There is short section in Appliance Security Guide:
https://www.veritas.com/content/support/en_US/doc/96220900-127024912-0/v97514945-127024912

As far as MSDP encryption is concerned, it will again come down to customer requirements - 'in flight' and/or 'at rest'. 

For 'in flight' encryption, I would look at this section in the Dedupe Guide: 
“To configure backup encryption on all client-side deduplication clients”.

If only 'at rest' MSDP encryption is required, I would look at :
“To configure backup encryption on a single host”.
Or no 1 in your opening post:
1. Local Encryption provided by appliance itself - Manage > Host > Deduplication > Encryption - Enable

HTH

Tape_Archived
Moderator
Moderator
   VIP   

Thanks for sharing the encryption details @Marianne

I ended up working with Support and gained significant details on the appliance encryption. Looks like KMS is better option with more control over keys and supports encryption standards. Also, Veritas seems more inclined towards KMS. 

The local encryption (at rest) on the appliance is AES-256 bit and it's totally managed by appliance itself without any control to the Admin - https://www.veritas.com/content/support/en_US/doc/25074086-130388296-0/v95643059-130388296 

3.1.1 onwards NetBackup Appliance FIPS compliant but read if's & but's before enabling it - https://www.veritas.com/content/support/en_US/doc/25074086-130388296-0/v130212944-130388296

We have had issues with Spad and spoold after we enabled FIPS in 8.1.1. Storage server goes down when we run showdeduppassword on the appliance. VERITAS is fixing this in 8.1.2. This is just FYI... 

jnardello
Moderator
Moderator
   VIP    Certified

Of course if you go with KMS then you have to make sure you've got a backup method in place for the KMS database itself....

Something along the lines of this to at least get it off the primary location:

/usr/openv/netbackup/bin/admincmd/nbkmsutil -quiescedb
cp <all the KMS database files> /mynfsshare/backup/kms/
/usr/openv/netbackup/bin/admincmd/nbkmsutil -unquiescedb

Then once it's off there, you'll have to worry about how to make sure you store an UNENCRYPTED copy somewhere in case of DR - you don't want to end up with a chicken-or-the-egg scenario where you can't recover your images from tape without the KMS, but you can't recover your KMS without being able to read a tape.

Best of luck !

sdo
Moderator
Moderator
Partner    VIP    Certified

NetBackup KMS has two methods to generate the encryption keys.  1) randomly, or 2) from pass-phrases.

If you use method 1) then if you loose the KMS database then all encrypted backup data is permanently lost forever.  If you use this method then you *must* backup/copy/save your KMS database to an alternate (offsite too?) location.

If you use method 2) then if you loose the KMS database then you can re-create the encryption keys from the pass phrases - assuming you saved the pass-phrases somewhere (offsite too?).  Also, note how if you use this method then you do not need to backup and copy your KMS database - because you can always re-create the KMS database from the pass-phrases - so you *must* save your pass-phrases somewhere.

See Martin's @mph999 recommendation here:

https://vox.veritas.com/t5/NetBackup/How-to-provide-our-own-keys-for-KMS-to-encrypt-data-rather-usin...

.

I recommend method 2 above.

.

So - how can you keep the (three) pass-phrases safe and secret and re-usable in a DR situation?

...my recommendaton - get some tools and get punching... you will need:

1) at least six long-ish narrow-ish thin-ish strips of metal - that you will turn in to dog-tags

2) a set of letter/number punches, upper case A to Z, and numbers 0 to 9

3) one hammer

4) one pair of safety glasses / goggles / squints

5) one drill plus a (10mm?) metal drill-bit

6) two key chain rings / holders

7) two good safes - one for local storage, one for DR storage

.

Procedue:

1) generate three random character pass-phrases, each of at least 32 characters

N.B: do *not* use 0 and O, do *not* use I and 1, do *not* use 5 and S - i.e. remove either 0 1 5 from your pass phrases - or remove O I S from your pass-phrases

(I can supply a VBscript, if you want, that can generate the random pass-phrases)

2) temporarily make a note of these pass phrases on paper

3) configure KMS from the pass-phrases, and test

4) test loss of KMS database, and re-creation of keys from pass-phrases, and test restore of previously encrypted backup data

...you now know that your phrases and process are good, so now save the pass-phrases as permanently as you can, as follows...

5) "engage safety squints" - I mean put your safety glasses / goggles on

6) punch the three phrases in to the metal strips - make two sets of three (hence six strips of metal)

7) drill a hole into each metal strip

8) attach the strips to the rings to create two sets

9) get someone else to verify that the punched pass-phrases match your written notes

10) burn, or eat, your noted pass-phrases

11) store one set of punched pass-phrases in your local safe

12) store one set of punched pass-phrases in your DR safe

13) (there is no step 13)

14) it might be a good idea to now re-test using the punched pass-phrases

.

Overkill?  Really?  Proper peace of mind for a few $ and few hours effort.  But admittedly the safes might cost a bit.  Anyway, in five / ten years time, hopefully it will never happen, but maybe your colleagues/boss/CIO will be thanking you.

.

HTH.

good luck.

andrew_mcc1
Level 6
   VIP   

All good advice but I believe from NBU 7.7 onwards, whenever you create a key from a pass phrase, a "salt" is also generated for FIPS compliance which must be provided to recreate that key in addition to the pass phrase and key tag. Also be aware the "salt" appears to be ~48 chars of random text, this rather suggests to me a bulletproof and secure way to backup and copy of the KMS database may be more attractive, especially if you have a lot of keys...

BR Andrew

sdo
Moderator
Moderator
Partner    VIP    Certified

Thank you @andrew_mcc1

Tape_Archived
Moderator
Moderator
   VIP   

I have marked 3 detailed explanations and suggestions as solutions regarding Appliance encryption so All can refer if they are looking for it.

@Tape_Archived thank you for mentioning this topic. 

Regarding MSDP encryption at REST did it encrypt all the data (even the backed up one before enabling encryption).

What I understand from Veritas documentation that it's an encryption done while deduplicating. 

Which means it done by the client before storing the data or by the MSDP beforme dupicating data between MSDP ? 

What do you think ? 

Thank you fir helping

Tape_Archived
Moderator
Moderator
   VIP   

Regarding MSDP encryption at REST did it encrypt all the data (even the backed up one before enabling encryption) - No, only new backup data is encrypted, previous data remains unencrypted. 

What I understand from Veritas documentation that it's an encryption done while deduplicating - That's correct, this is non-netbackup native encryption by appliance itself and uses CPU of applinace to encrypt the data. Detailed process or steps can be found in the admin guide.

Which means it done by the client before storing the data or by the MSDP beforme dupicating data between MSDP ?  - No, client has no control here to encrypt the data on MSDP. Data is encrypted only after landing on the applinace. NetBackup client encryption option is seperately available, but enable either one encryption. I would perfer applinace or KMS encryption & not client encryption as it adds extra operations on the client end.

Thanks @Tape_Archived for all these information. It is really appreciated. 

I have a doubt about what you call MSDP encryption ?

Could you please check these links and tell me if we are talking about the same options ? 

https://www.veritas.com/support/en_US/doc/25074086-127355784-0/v95643059-127355784

  • Backup encryption: the deduplication plug-in encrypts the data after it is deduplicated. The data remains encrypted during transfer from the plug-in to the NetBackup Deduplication Engine on the storage server.
  • Duplication and replication encryption: the deduplication plug-in on MSDP servers encrypts the data for transfer. The data is encrypted during transfer from the plug-in to the NetBackup Deduplication Engine on the target storage server and remains encrypted on the target storage.

https://www.veritas.com/content/support/en_US/doc/25074086-127355784-0/v100737577-127355784

We can enable encryption by modifying the pd.conf file. As mentionned by Veritas "Do not enable backup encryption by selecting the Encryption option on the Attributes tab of the Policy dialog box. If you do, NetBackup encrypts the data before it reaches the plug-in that deduplicates it."

 

 

Dear all, 

I really need your help. 

The subject is really confusing for all the team :D 

Could you please tell me how to activate MSDP encryption at rest ? 

Thank you all

 

 

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

@MManna25

Have you seen my post dated 08-22-2018? 

If only 'at rest' MSDP encryption is required, I would look at :
“To configure backup encryption on a single host”.
Or no 1 in your opening post:

1. Local Encryption provided by appliance itself - Manage > Host > Deduplication > Encryption - Enable

andrew_mcc1
Level 6
   VIP   

Related to this, I'm not sure its a great idea to enable MSDP encryption for single clients as data from those hosts will then not dedupe against similar data from other clients; this will reduce the overall dedupe rate so more storage is used.

Similarly, enabling encryption at a Storage Server level (i.e for all clients) after unencrypted backups have already been written will have the same effect; however in this case you will tend to recover the additional storage once the original unencrypted backups expire and their corresponding blocks released.

Just a thought... Andrew