09-10-2017 04:53 AM
Dear All
i have Netbackup 8.0 on windows 2012 R2 and i am using MSDP as main storage and Tape library "IBM Tape Library 3200 LTO4" and i need to encrypt the backup in MSDP and Tape using SLP
questions : do i need to add hardware module to Tape library to support Encryption or not?
question2: it is possobile to make backup image encrypted in 2 phase " backup and duplication in SLP" and how?
09-10-2017 02:20 PM
You would need to check with the library vendor, though I think usually the library would need an encryption license if the library itself is managing the encryption keys. No hardware is required, it's built into LTO4 drives and above.
KMS (Key Managment Service) is free with NBU, so this would be one way to encrypt the data. The other option is to use the library to manage the keys - the end result is the same. MSEO is NBU software encrytion, I would ot recommend this if KMS is available.
The answer to question 2 is 'yes' - you can encrypt just the 'copy to tape' part of your SLP.
With KMS, once configured within NBU, the master server sends the encryption keys to the tape drives. To encrypt data to a tape is very simple, you just configure a volume pool within NBU to be called ENCR_xxx and within KMS config, you create a Key Group with the same name.
For example, you maight use: ENCR_myslp
Then, when you select the volume pool 'ENCR_myslp' to be used by the SLP (or a regular backup or duplication) the data will be encrypted.
This manual contains the details for KMS
https://www.veritas.com/support/en_US/article.000116407
If you work through the steps given , it shows how to set up KMS.
NOTE: NBU catalog backup does NOT backup the KMS encryption keys, you MUST (as per the guide) correctly export the keys, I highlight this part because people don't do it, lose the keys and then get locked out of all their data. If this happens it is 'lost', Veritas has no backdoor to get it back.
The KMS files to backup are :
KMS_DATA.dat, KMS_HMKF.dat, and KMS_KPKF.dat file
Before doing this you must first quiesce the KMS database.
nbkmsutil –quiescedb - Required before coping KMS DB files
nbkmsutil -unquiescedb - Run this after coping the files
For obvious reasons, do not backup the encryption keys (contained in the files above) to an encrypted tape (yep, people do this as well ...). Make a copy to whatever media you like (USB key, CD etc ...) and put in a firesafe if you have one. If not, I suggest taking home and placing under your pillow ... ;0)