01-11-2012 11:15 PM
Environment
Veritas Netbackup Server = 7.1
OS of Veritas Netbackup Server = Win2008
AGENDA
I have a successful backup on the Tape Cartridge1. This Backup is not Encrypted.
My question:
Is that possible that I can encrypt the backup images when I duplicate the Backup Images from Tape Cartridge1 to Tape Cartridge2 ? So I have Encrypted Backup Images on Tape Cartridge2 only.
Solved! Go to Solution.
01-12-2012 02:05 AM
If you use LTO encryption (KMS) the destination tape pool can encrypted enabled. You need to use the "-dp <destination pool name>" using bpdupliacte.
Check the manual of how to configure KMS.
01-12-2012 12:12 AM
bpduplicate does not have 'encrypt' option:
C:\> bpduplicate -help
bpduplicate: -npc <new primary copy> -backupid <backup id> [-local] [-client <name>]
bpduplicate: [-dstunit <destination storage unit label>[,<stunit-copy2>,...,<stunit-copyn>]]
[-p] [-pb] [-PM] [-PD] [-v] [-local] [-client <name>]
[-Bidfile <file_name>]
[-st <sched_type>] [-sl <sched_label>] [-L <output_file> [-en]]
[-dp <destination pool name>[,<poolname-copy2>,...,<poolname-copyn]]
[-owner <media_share_grp>[,<share_grp-copy2>,...,<share_grp-copyn]]
[-shost <source host>]
[-policy <name>] [-s mm/dd/yyyy HH:MM:SS] [-e mm/dd/yyyy HH:MM:SS]
[-pt <policy_type>] [-hoursago <hours>]
[[-cn <copy number>] | [-primary]]
[-M master_server] [-altreadhost <hostname>]
[-backupid <backup_id>] [-id <media_id>]
[-rl <retention_level>[,<rl-copy2>,...,<rl-copyn>]]
[-fail_on_error <0 | 1>[,...,<0 | 1>]] [-mtd <MByte threshold>]
[-mpx] [-priority <number>] [-number_copies <number>]
[-set_primary <copy_index>] [-bc_only] [-granular_proxy <hostname>]
[-dcn <destination copy number 1>[,<dcn-copy2>,...,<dcn-copyn>]]
Valid values for sched_type:
FULL, INCR, CINC, UBAK, UARC, NOT_ARCHIVE
Valid values for policy_type:
Standard, Proxy, Non-Standard, Apollo-wbak,
Oracle, Any, Informix-On-BAR, Sybase,
MS-SharePoint, MS-Windows-NT, NetWare,
DataTools-SQL-BackTrack, Auspex-FastBackup,
MS-Windows, OS/2, MS-SQL-Server, MS-Exchange-Server,
SAP, DB2, NDMP, FlashBackup, Split-Mirror,
AFS, DFS, DataStore, Lotus-Notes, Teradata,
OpenVMS, MPE/iX, FlashBackup-Windows,
BE-MS-SQL-Server, BE-MS-Exchange-Server,
Macintosh, Disk Staging, NBU-Catalog,
Generic, CMS-Database, PureDisk-Export,
Enterprise-Vault
Valid values for copy_index:
0 = do not change primary copy(default)
1 = 1st new copy will be primary
2 = 2nd new copy will be primary ...
n = nth new copy will be primary
01-12-2012 02:05 AM
If you use LTO encryption (KMS) the destination tape pool can encrypted enabled. You need to use the "-dp <destination pool name>" using bpdupliacte.
Check the manual of how to configure KMS.
01-12-2012 03:26 AM
Does KMS is licensed option ?
01-12-2012 04:10 AM
KMS is part of the base Netbackup installation
http://www.symantec.com/docs/HOWTO46814
The NetBackup Key Management Service (KMS) feature is included as part of the NetBackup Enterprise Server and NetBackup Server software. An additional license is not required to use this functionality
Installation: http://www.symantec.com/docs/TECH67972
01-12-2012 04:25 AM
Correct if I am wrong
In KMS the Netbackup Client, Master and Media Server dont have any load to encrypt the Data and the Data encryption done on the Tape Cartridge directly.
Second : in your suggested solution the non encrypted backup Images on Tape Cartridges can be Duplicate to the Destination Tape Cartridge and the Destination Tape Cartridge will be in the Volume Pool where any Tape Cartridge Encrypt the backup
01-12-2012 04:51 AM
It's the tape drive that does the encryption. Tape drive need to support the T10 standart (LTO4,LTO5 does).
Second: Yes, Netbackup check if the volume pool conatain the keyword ENCR_ if it does, it ask the drive to enable encryption and encryption keys are exchanged between the tape drive and Netbackup.
01-12-2012 05:02 AM
hmmm So all the Keys managed by Netbackup. Thanks all for your kind words. I am marking your post as solution :)
01-12-2012 05:21 AM
Thanks for marking as a solution.
Do some KMS recover test before putting into production.Loosing the KMS database means you loose all backup as well. You need to take additional steps to protect the KMS database. This is covered in the Netbackup documentation.
01-17-2012 10:34 PM
Thanks for your kind follow-up on my query. Yes I will let you know when I will start this work. I will take around 2days to start work. Thanks again