cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Tape encryption on NetBackup 5200 appliances

Go to solution
Ryan_VDW
Level 3
Partner

‎04-18-2012 05:41 AM

Hello

We are configuring a pair of NetBackup 5200 appliances as a Master Server / Media Server pair. They share an LTO5 tape library.

In the Appliance documentation (page 73) it mentions that the NetBackup appliance supports LTO drives which are capable of encryption and that the tapes are automatically encrypted.

If this is the case then how do I set/find out what the encryption key is so that I can perform restores of the tapes to a standalone restore environment?

Thanks

Ryan

0 Kudos
Reply
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
NB_BCE_Adkisson
Level 3
Employee

‎04-26-2012 01:48 PM

http://www.symantec.com/docs/TECH76495

 

Page 7 shows a table with "Functionality," the "Minimum Appliance Release," and applicable "Notes."

Functionality = NBU Master/Media Server

Min. Appliance Release = 2.0

Notes = Key Management Service (KMS) and NetBackup Access Control (NBAC) are not supported when the Appliance is configured as a Master Server.

 

Functionality = Key Management Service (KMS)

Min. Appliance Release = 1.1.0.1

Notes = Supported when the Appliance is configured as a Media Server only. KMS cannot be administrated by a NetBackup Appliance. A non-Appliance Master
Server is required to administrate KMS with devices connected to a NetBackup Appliance.

 

Functionality = Media Server Encryption Option (MSEO)

Notes = There are no plans to support this feature.

 

Based on the above, it looks like you'd need a non-appliance Master to admin KMS and MSEO if not an option for the appliances.

View solution in original post

0 Kudos
Reply
4 REPLIES 4

Go to solution
Jeff_Foglietta
Level 5
Partner Accredited Certified

‎04-18-2012 06:40 AM

Prettty sure the MSEO is built into the appliance. See the MSEO Admin guide for steps to configure and manage the encryption keys..

"Backup images can be shared and decrypted by other MSEO-enabled media servers if the key pairs and key groups originally used to encrypt the tape are exported to the other MSEO Security Servers."

0 Kudos
Reply

Go to solution
Ryan_VDW
Level 3
Partner

‎04-18-2012 08:14 AM

Hi Jeff

Thanks for the quick response. The appliances do not appear to have any options in the menu system to access the encryption setup. I want to find out if one is  is supposed to go into the support linux shell in order to carry out the standard KMS installation instructions. There is just no guidance in the manuals.

Thanks and regards

Ryan

0 Kudos
Reply

Go to solution
NB_BCE_Adkisson
Level 3
Employee

‎04-26-2012 01:48 PM

http://www.symantec.com/docs/TECH76495

 

Page 7 shows a table with "Functionality," the "Minimum Appliance Release," and applicable "Notes."

Functionality = NBU Master/Media Server

Min. Appliance Release = 2.0

Notes = Key Management Service (KMS) and NetBackup Access Control (NBAC) are not supported when the Appliance is configured as a Master Server.

 

Functionality = Key Management Service (KMS)

Min. Appliance Release = 1.1.0.1

Notes = Supported when the Appliance is configured as a Media Server only. KMS cannot be administrated by a NetBackup Appliance. A non-Appliance Master
Server is required to administrate KMS with devices connected to a NetBackup Appliance.

 

Functionality = Media Server Encryption Option (MSEO)

Notes = There are no plans to support this feature.

 

Based on the above, it looks like you'd need a non-appliance Master to admin KMS and MSEO if not an option for the appliances.

0 Kudos
Reply

Go to solution
Chad_Wansing2
Level 5
Employee Accredited Certified

‎05-08-2012 09:20 PM

Ok, so, YES you can do tape encryption with the appliances.  That being said, we now have to talk about the HOW.  So, as stated above the appliances don't yet support MSEO or KMS but that doesn't necessarily keep you from using drive encryption on your shiny new drives.  Most drive/library manufacturers have a key management system that's admittedly a bit more robust than what you get for free from KMS (KMS doesn't do key replication for instance).  I would suggest setting up their solution for key management and using the appliances for what they're best at: 1) guaranteed performance and 2) ease of use.

I know our product folks are looking at the possibilities of working in both KMS and MSEO in future releases, but not sure where they stand in the overall priority.  If this is a big deal for you, I would definitely reach out to your account team and make sure they tell the product folks that you need this functionality.  It's input from our customers that really helps us drive what gets prioritized for our products!

 

 

0 Kudos
Reply