Solved: Re: what are the steps for using MSDP Encryption

Lev5240 · ‎04-26-2018

Hello,

We have Netbackup Appliance 5240. I am trying to figure out what are the steps to configure MSDP encryption? I have read "MSDP encryption" guide and it says that by default MSDP encryption is disabled. You could modify pd.conf on the client in order to have encrypted backup.

1. so if I modify pd.conf on the client (/usr/openv/lib/ost-plugins/pd.conf) and add ENCRYPTION = 1. Will the backups be encrypted on the host before being transfererred to the MSDP on the 5240 appliance?

This option only works for the clients where you modify pd.conf.

2. I also read that if I want to enable MSDP encryption for all the hosts I need to log in to shell menu on 5240 appliance and modify contentrouter.cfg. I am not sure what is the full path for contentrouter.cfg file and how to access it and what needs to be updated in that file. Can someone please list steps needed to use MSDP encryption for all the backups.

Thank you.

jnardello · ‎09-14-2018

Excerpt from our build doc :

# Make absolutely sure encryption at rest and in transit is always enabled
ENCRYPT_TMP=/tmp/encrypt.tmp
if [ -f ${ENCRYPT_TMP} ];then rm ${ENCRYPT_TMP};fi
grep "^ENCRYPTION = 0" /usr/openv/lib/ost-plugins/pd.conf > /dev/null
if [ $? -eq 0 ];then
   echo Enabling encryption at rest.
   sed 's/^ENCRYPTION = 0/ENCRYPTION = 1/g' /usr/openv/lib/ost-plugins/pd.conf > ${ENCRYPT_TMP}
   mv /usr/openv/lib/ost-plugins/pd.conf /usr/openv/lib/ost-plugins/pd.conf_`date +"%m%d%y%H%M%S"`
   mv ${ENCRYPT_TMP} /usr/openv/lib/ost-plugins/pd.conf
fi
grep "^OPTDUP_ENCRYPTION = 0" /usr/openv/lib/ost-plugins/pd.conf > /dev/null
if [ $? -eq 0 ];then
   echo Enabling encryption in transit.
   sed 's/^OPTDUP_ENCRYPTION = 0/OPTDUP_ENCRYPTION = 1/g' /usr/openv/lib/ost-plugins/pd.conf > ${ENCRYPT_TMP}
   mv /usr/openv/lib/ost-plugins/pd.conf /usr/openv/lib/ost-plugins/pd.conf_`date +"%m%d%y%H%M%S"`
   mv ${ENCRYPT_TMP} /usr/openv/lib/ost-plugins/pd.conf
fi

You could also do this via the CLISH if you want. Settings-->Deduplication-->Tune ENCRYPTION enable
Settings-->Deduplication-->Tune OPTDUP_ENCRYPTION enable

View solution in original post

smsaccet1 · ‎04-27-2018

To answer to your first question

This setting needs to be modified in 5240 appliance which would allow all clients' data stored in MSDP as encrypted format. If your appliance version is 2.7.x, it uses blowfish algorithm for the encryption. If it is 8.x, it uses AES 256/512 encryption

Lev5240 · ‎04-27-2018

Hello smsaccet1,

Thank you for your reply. Our appliance version is 3.1. What encryption algorithm will it use?

Also what file and please specify the full path of the file that I need to update and what needs to be updated and if anything needs to be restarted.

Also how can I check if my backups in MSDP pool are actually getting encrypted after changing the above setting.

Thank you.

Lev1 · ‎05-18-2018

Hello smsaccet1,

Thank you for your reply. Our appliance version is 3.1. What encryption algorithm will it use?

Also what file and please specify the full path of the file that I need to update and what needs to be updated and if anything needs to be restarted.

Also how can I check if my backups in MSDP pool are actually getting encrypted after changing the above setting.

Thank you.

smsaccet1 · ‎06-27-2018

Were you able to get the commands for this?

Lev5240 · ‎07-02-2018

Hello smsaccet1,

no I haven't got any commands.. would you be able to help.

Thank you.

jnardello · ‎09-14-2018

Excerpt from our build doc :

# Make absolutely sure encryption at rest and in transit is always enabled
ENCRYPT_TMP=/tmp/encrypt.tmp
if [ -f ${ENCRYPT_TMP} ];then rm ${ENCRYPT_TMP};fi
grep "^ENCRYPTION = 0" /usr/openv/lib/ost-plugins/pd.conf > /dev/null
if [ $? -eq 0 ];then
   echo Enabling encryption at rest.
   sed 's/^ENCRYPTION = 0/ENCRYPTION = 1/g' /usr/openv/lib/ost-plugins/pd.conf > ${ENCRYPT_TMP}
   mv /usr/openv/lib/ost-plugins/pd.conf /usr/openv/lib/ost-plugins/pd.conf_`date +"%m%d%y%H%M%S"`
   mv ${ENCRYPT_TMP} /usr/openv/lib/ost-plugins/pd.conf
fi
grep "^OPTDUP_ENCRYPTION = 0" /usr/openv/lib/ost-plugins/pd.conf > /dev/null
if [ $? -eq 0 ];then
   echo Enabling encryption in transit.
   sed 's/^OPTDUP_ENCRYPTION = 0/OPTDUP_ENCRYPTION = 1/g' /usr/openv/lib/ost-plugins/pd.conf > ${ENCRYPT_TMP}
   mv /usr/openv/lib/ost-plugins/pd.conf /usr/openv/lib/ost-plugins/pd.conf_`date +"%m%d%y%H%M%S"`
   mv ${ENCRYPT_TMP} /usr/openv/lib/ost-plugins/pd.conf
fi

You could also do this via the CLISH if you want. Settings-->Deduplication-->Tune ENCRYPTION enable
Settings-->Deduplication-->Tune OPTDUP_ENCRYPTION enable

VOX

what are the steps for using MSDP Encryption