Second last TN in Nagalla's post is a step-by-step guide: http://www.symantec.com/docs/TECH56759

DOCUMENTATION: More about the NetBackup Encryption Option - detailed demonstration of encrypted backups, restores, disaster recovery and troubleshooting

I would recommend using Netbackup KMS feature. KMS enables tape drive encryption based on the T10 encryption standard. LTO4 and up are supported. Some Oracle StoragTek tape drives are also support T10.

The use of Netbackup KMS is almost transparent (the volume pool must have a ENCR_ prefix)  from the Netbackup side and does not affect backup/restore performance. The KMS feature does not require a license - it part of the base license.

http://www.symantec.com/docs/TECH67972

http://www.symantec.com/docs/HOWTO46814

http://www.symantec.com/docs/HOWTO46848

Hey Nagalla and all,

Thanks for the valuable information.........

I have one query if backup encryption and decyption information is stored in keyfile.dat (if i am not mistaken) from inbuilt backup encrypion.... If backup is taken how would restoration happen. How would Master know that decrytion is in keyfile.dat file. This question might be silly.

Before making any decision based on encryption, it is always important to check the hardware compatibility list to make sure your environment is capable.

http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/76...

hi Belse,

i am not sure how netbackup knows  about the keyfile.dat, at the time of restore,  

i guess its becasue of the corresponding cipher file with the Image.

below is copy form T/N

http://www.symantec.com/business/support/index?page=content&id=TECH56759

"Note the presence of the cipher file.  One of the most frequently asked questions is "How can one tell whether a backup is encrypted or not?"  In an encrypted backup, every file will have a corresponding cipher.  Here is another example from an encrypted backup from a different policy:"

/opt/encrypted_backups # tar -tf  <client>_1199915090_C1_F1.1199915090.img 

10741237766 10726067164 //
10741240125 10741240125 //tmp/
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.0
10740472477 10740472477 //tmp/.dcs.<client>:0.dcgtlock
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.1
10740472477 10741237763 //tmp/.dcs.<client>:0.37dd79
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.2
10740472477 10740472477 //tmp/.dcs.<client>:0.utillock
10741240126 10741240126 /.EnCrYpTiOn_CiPhEr.3

Don't get fixated on the keyfile.dat file.  Client encryption is either enabled in the policy or it is not.  It's that simple.*  Check the policy - is the checkbox enabling encryption checked?  If so, restores will look for the keyfile and use it to decrypt the backup when you're restoring.  If it isn't there, the backup will fail - this is demonstrated in that outstanding TechNote some guy wrote a million years ago.

*(Well, it's not THAT simple - as mentioned previously in the thread, client encryption isn't the only way to result in  encrypted backups - you can buy a KMS license, you can buy MSEO, and there's probably some hardware solutions I know nothing about)

Lots of great info.  Belse, dont forget to mark the solution.

Need to clarify that when creating a policy it shows me encryption greyed out.... Pls help..

What is the Policy type?

Do you have 'Collect disaster recovery...' selected?

Please show us screenshot.

Are you aware of the fact that NBU 6.x reached EOSL in Oct 2012?

1-Policy type is Ms-Windows NT

2-Collect disaster recovery intelligent disaster recovery option just below the encryption is also greyed out.

3-Screen shot is not available as Master server is getting rebuit.

4-No

Pls find the screenshot.

Dear Marianne,

Thanks so much so nice of you ................ :)