10-21-2014 10:03 PM
Hi,
I am in need of some assistance/ guidance with KMS encryption. Recently, we have configured a test backup job with encryption using Key:
Environment
Netbackup Master Server version: 7.6.0.1
Volume Pool: ENCR_prod
Backup policy: Created 2 test policies, one for backing up policy type "MS-Windows" and the other "NDMP" with different sets of folders. Reason being, we wanted to test KMS capability to back up both normal Windows file shares and CIFS shares via NDMP backup.
To verify the backup images were encrypted, I checked the "Image on Tape" report via NBU Administration Console and I can see that the backed up images were encrypted with a unique key identifier on each tape media (under "Encryption Key Tag" column with 256 bit, 64 characters).
Question
How do we configure the volume pool (if possible) so that any available media can be used between encrypted/non-encrypted backup job? As we have had to defined the volume pool specifically to use "ENCR_xxxx" as part of the KMS backup requirement, we had to manually assign separate media (tape, in our case) just to perform a particular backup selection, hence consuming additional tapes which is not ideal in our situation.
From what I understand Netbackup looks specifically at the volume pool with the prefix "ENCR_xxxx" when the back up job is initiated, and unless there is a tape assigned to the "ENCR_prod" pool in our case, the backup job will fail. Is there an alternate way (using KMS) to share both encrypted and non-encrypted back up jobs?
Any assistance is much appreciated.
Thank you.
Solved! Go to Solution.
10-22-2014 06:04 PM
10-22-2014 12:12 AM
How do we configure the volume pool (if possible) so that any available media can be used between encrypted/non-encrypted backup job?
You can create a Scratch pool and move all unassigned tapes to Scratch.
Any pool not having available media will draw from Scratch.
Any tape that originally came from Scratch will be returned to this pool when all images have expired.
10-22-2014 01:15 AM
Agree with Marianne
Netbackup can without problems, re-use tape previous encrypted, because its the backup image that is encrypted on not magnetic header on the tape.
Ensure all tapes in the scratch pool are at lest LTO4 tapes. LTO3 and previous has not built-in encryption.
10-22-2014 04:10 PM
Thank you both Marianne and Nicolai for your speedy response. Sorry, I did not make my questio clearer. What I wanted to find out was, is there a way that Netbackup can utilise the same tape to write encrypted and non-encrypted backup jobs before it is ejected from the tape library?
For example, would Netbackup 7.6 be able to perform the following 4 backup policies using the same tape (e.g. ABC123) with mixed policy types and with encrypted and un-encrypted data, assuming that each backup is a "Full" backup job and the total amount of all data would fit onto a single tape?
Media: ABC123
Job#1
Client name: Server01A
Policy Type "Ms-Windows" (Encrypted backup)
Job#2
Client name: Server01B
Policy Type "MS-Windows" (Un-encrypted backup)
Job#3
Client name: Server01A
Policy Type "Standard" (Encrypted backup)
Job#4
Client name: Server01B
Policy Type "Standard" (Un-encrypted backup)
Clarification, please?
From what I understand, we would require a minimum of 2 tapes from the example above? One tape to write the encrypted data (Job #1 & Job #3) and another tape to write the un-encrypted data (Job #2 & Job #4) regardless of the policy type because in the "Client Attributes" tab for each backup policy, we need to define a specific "Volume Pool" for the data to be written to.
For encrypted backup job using KMS, we would need to create a volume pool starting with the prefix "ENCR_xxxx" and for the un-encrypted backup job, we would need to define another volume pool, so that when the backup job is initiated, if it does not see the volume pool with the prefix "ENCR_xxxx" it will not encrypt the data.
So in short, would it be safe to say that we cannot use a single tape to write encrypted and unencrypted data using KMS method?
10-22-2014 06:04 PM
10-22-2014 06:04 PM
10-23-2014 12:22 AM
So in short, would it be safe to say that we cannot use a single tape to write encrypted and unencrypted data using KMS method?
Yes you are right. A tape can be encrypted or not encrypted but not mixed.