01-30-2013 11:59 PM
Hi All,
How can we protect the backup with encryption. Please share the methods and Also let me know whether enabling the encryption in policy attributes is suffice in netback?
Thanks,
Solved! Go to Solution.
02-12-2013 04:16 AM
This is your problem:
BMR is also a form of ''Collect disaster recovery...'
You cannot use this option and Encryption together.
The one disables the other.
01-31-2013 12:23 AM
hi,
the best way is to start with the NetBackup 7.5 Security and Encryption Guide.
http://www.symantec.com/business/support/index?page=content&id=DOC5185
White paper
http://www.symantec.com/business/support/index?page=content&id=TECH73132
below T/N also give some idea about it
http://www.symantec.com/business/support/index?page=content&id=TECH56759
http://www.symantec.com/business/support/index?page=content&id=TECH150643
01-31-2013 12:53 AM
Second last TN in Nagalla's post is a step-by-step guide: http://www.symantec.com/docs/TECH56759
01-31-2013 01:13 AM
I would recommend using Netbackup KMS feature. KMS enables tape drive encryption based on the T10 encryption standard. LTO4 and up are supported. Some Oracle StoragTek tape drives are also support T10.
The use of Netbackup KMS is almost transparent (the volume pool must have a ENCR_ prefix) from the Netbackup side and does not affect backup/restore performance. The KMS feature does not require a license - it part of the base license.
http://www.symantec.com/docs/TECH67972
http://www.symantec.com/docs/HOWTO46814
http://www.symantec.com/docs/HOWTO46848
01-31-2013 04:54 AM
Hey Nagalla and all,
Thanks for the valuable information.........
I have one query if backup encryption and decyption information is stored in keyfile.dat (if i am not mistaken) from inbuilt backup encrypion.... If backup is taken how would restoration happen. How would Master know that decrytion is in keyfile.dat file. This question might be silly.
01-31-2013 05:20 AM
Before making any decision based on encryption, it is always important to check the hardware compatibility list to make sure your environment is capable.
01-31-2013 05:29 AM
hi Belse,
i am not sure how netbackup knows about the keyfile.dat, at the time of restore,
i guess its becasue of the corresponding cipher file with the Image.
below is copy form T/N
http://www.symantec.com/business/support/index?page=content&id=TECH56759
"Note the presence of the cipher file. One of the most frequently asked questions is "How can one tell whether a backup is encrypted or not?" In an encrypted backup, every file will have a corresponding cipher. Here is another example from an encrypted backup from a different policy:"
/opt/encrypted_backups # tar -tf <client>_1199915090_C1_F1.1199915090.img
10741237766 10726067164 //
10741240125 10741240125 //tmp/
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.0
10740472477 10740472477 //tmp/.dcs.<client>:0.dcgtlock
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.1
10740472477 10741237763 //tmp/.dcs.<client>:0.37dd79
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.2
10740472477 10740472477 //tmp/.dcs.<client>:0.utillock
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.3
01-31-2013 01:12 PM
Don't get fixated on the keyfile.dat file. Client encryption is either enabled in the policy or it is not. It's that simple.* Check the policy - is the checkbox enabling encryption checked? If so, restores will look for the keyfile and use it to decrypt the backup when you're restoring. If it isn't there, the backup will fail - this is demonstrated in that outstanding TechNote some guy wrote a million years ago.
*(Well, it's not THAT simple - as mentioned previously in the thread, client encryption isn't the only way to result in encrypted backups - you can buy a KMS license, you can buy MSEO, and there's probably some hardware solutions I know nothing about)
02-08-2013 07:27 AM
Lots of great info. Belse, dont forget to mark the solution.
02-12-2013 03:18 AM
02-12-2013 03:20 AM
Need to clarify that when creating a policy it shows me encryption greyed out.... Pls help..
02-12-2013 03:32 AM
What is the Policy type?
Do you have 'Collect disaster recovery...' selected?
Please show us screenshot.
Are you aware of the fact that NBU 6.x reached EOSL in Oct 2012?
02-12-2013 03:52 AM
1-Policy type is Ms-Windows NT
2-Collect disaster recovery intelligent disaster recovery option just below the encryption is also greyed out.
3-Screen shot is not available as Master server is getting rebuit.
4-No
02-12-2013 03:58 AM
Pls find the screenshot.
02-12-2013 04:16 AM
This is your problem:
BMR is also a form of ''Collect disaster recovery...'
You cannot use this option and Encryption together.
The one disables the other.
02-12-2013 04:42 AM
Dear Marianne,
Thanks so much so nice of you ................ :)