cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot implement client encryption on Bare Metal Restore (BMR)

RickyLee1
Level 2

Dear Sirs,

We have installed the Netbackup  Enterprise Server 7.6.1.2.


My organization need to implement the encryption to the backup. We need to turn on the encryption option. Then we try the one of the solution called 'Client Encryption'.


We can turn on the encryption on the file-based policy by clicking encryption check-box on the server after installing the encryption key on the client


However, for the WINOS policy, we use the Bare Metal Restore (MBR). We noticed that the encryption check-box is disabled when the bare metal restore check-box is clicked.


Please advise us how to solve the encryption problem on BMR so that we can implement the client encryption on netbackup.

Regards,

Ricky

8 REPLIES 8

sdo
Moderator
Moderator
Partner    VIP    Certified

Those two client side features are mutually exclusive by logic and by design... because a BMR recovering client cannot know who it itself will become until after the restore has begun, i.e. it would be foolish for a backup product to send the key to the client as part of the BMR recovery process.  Do you see how it could never be made to work safely and still be automated, as you will always need a key on the client side.

.

Please explain why you think you need to use "client based encryption" ?

.

FYI - normally backup data is encrypted at rest - within an enterprise storage device.

If you must have client side backup data encrypted over a public shared WAN link and also require BMR, then you may well probably need to deploy network crypto devices at your entry and exit points of the WAN... or maybe place an NetBackup MSDP disk pool locally close the client and then use MSDP OptDup encryption to replicate the backup using encrypted data over a WAN link.

We have a backup client containing the confidential folders. This client is not in the public
shared WAN link. We need to ensure this client can be restored in BMR recovering.

This confidental folders will be backup to tape and the tape may require to store off-site.
Therefore, the folders should be encrypted to ensure the data are stored in tape in confidential mode. 


Client based encryption is chosen because it is relatively easy to implement.

The encryption on the client side do not adversely affect our client performance.

It do not have much impact on our backup server.

As far as I know, we do not concern much on the hardware components such as tape drive replacement in client based encryption.

I have two questions to ask.
 
1) If the clients contains confidential folders, will it possible to backup the data safely (e.g. with encryption) in BMR mode ?

2) Can I solve the problem by using the tape drive encryption using the KMS?

 

mph999
Level 6
Employee Accredited

I would recommend KMS.

Really, BMR is for restoring only the operating system, then following that, data should be restored from a normal backup. So, you could BMR the OS, unencrypted, and then have a KMS encrypted backup of the confidential data.

Nicolai
Moderator
Moderator
Partner    VIP   

I am with Martin.

I you want a simple encryption soloution use tape based hardware encryption (AKA Netbackup KMS).

Only requirement is the use of LTO4 or newer tape drives plus a tiny bit of Netbackup configuration.

Client side encryption is weak - only 56 bit, wherea KMS uses AES 256 bit encryption.

Let's check my understanding.

I can use the BMR to backup the OS with using the confidential folder included in the exclusion list.

At the same time, I use another policy to backup only the confidential folders using KMS tape-based encryption.

If I need to restore the whole client, I restore the OS using BMR.

After that, I restore the folders using the KMS to decrypt the folder.

Am I right?


What is the other advantages of using KMS encryption? I have checked the client encryption. It seemed that it can encrypt using AES 256 bit encryption as the attached diagram shown.


If the encryption using KMS is not complex, we can implement the encryption using this option.

Is there any good documents how to implement it ?


Thank you all for your support !

Nicolai
Moderator
Moderator
Partner    VIP   

Client encryption and KMS is two diffrent ways to encrypt data.

Client encryption as the name indicate takes place on the client and thus will use a lot of cpu cycles. 

KMS encrypt data on the tape drive level using hardware.

You are right, seems client encryption now support stronger encryption. Good see.

A overview of the encryption options in netbackup can be found at : 

https://www.veritas.com/support/en_US/article.000076284   (Encryption and NetBackup performance)

Backing the OS up without encryption , and backing the sensitive folder up with client side encryption is a possibility. Or you can just backup everything to tape using KMS encryption, BMR does not care since KMS is a transparent encryption option.

sdo
Moderator
Moderator
Partner    VIP    Certified

There are some example NetBackup KMS config commands at the end of the read-me text file here:

https://vox.veritas.com/t5/forums/searchpage/tab/message?q=mhvtl%20script&collapse_discussion=true

sdo
Moderator
Moderator
Partner    VIP    Certified

With NetBackup KMS, everything remains the same except two things (well maybe three things):

1) To achieve encrypted tape media, then you must use a tape pool name beginning with these five characters "ENCR_", i.e. ENCR plus an underscore.

2) And totally transparent to anything else in NetBackup is... that NetBackup KMS will talk in "SCSI T10" protocol to the LTO4/5/6/7/8+ tape drives and tell any tape drive mounting a tape from an "ENCR_*" pool, i.e. the "tape head" to encrypt using the hardware encryption chips inside the tape drive itself.  There is approximately a 1% (one percent) negative throughput performance impact from using NetBackup KMS.  It is this low because the encryption is done in hardware just at the point that the tapes are written.  With NetBackup KMS leveraging SCSI T10 in LTO4/5/6/7/8+ then the encryption is not performed in software.

.

3) This is a really really important question to ask yourself... How will you manage the encryption keys?  If you are not comfortable answering this question yourself, then my advice would be to escalate the question.  Here's the best advice that you will ever get regarding encryption... ready... really ready?      ;p     Get your key management procedures in place *before* you start using encryption.  Yes, it is your "technical problem" to get encryption in place, but it is someone elses' "business probem" to get business administrative procedures in place for "encryption key management".