03-26-2015 02:38 AM
hi Team,
If I enable encryption option within policy, does it impact the de-dupe ratio of the data which gets backed up on MSDP pool? if yes , which encryption I should choose to aviod de-dupe ratio impact?
Regards
Brits
Solved! Go to Solution.
03-26-2015 02:46 AM
Hi,
Yes it does impact it severly. See the note, you can configure MSDP encryption.
http://www.symantec.com/docs/HOWTO89126
This would provide encryption at rest though, the data would be unencrypted when it goes over the wire.
03-26-2015 02:46 AM
Hi,
Yes it does impact it severly. See the note, you can configure MSDP encryption.
http://www.symantec.com/docs/HOWTO89126
This would provide encryption at rest though, the data would be unencrypted when it goes over the wire.
03-26-2015 03:07 AM
thank you very much for the link, this is really useful.
so I can enable encryption on media server to encrypt the backup data on MSDP pool..right ?
does it requie license ?
03-26-2015 03:08 AM
Hi,
Yes you can ebable it on the MSDP pool. It does not require a license.
03-26-2015 03:28 AM
thanks a lot for help.
03-26-2015 03:46 AM
Pleasure
03-26-2015 04:48 AM
I have it on good authority that if encryption at rest is enabled in MSDP, then this results in what appears to MSDP to be new versions of de-duped segments - and so, if your pool is low on space - then you could very quickly run out of space.
Extrapolating this, says to me, that if your backup schedules are well established AND your used space is over 49% (assuming you still have the default HWM of 98%) then you run the very real risk of the MSDP filling up and going off-line - before the MSDP pool has had a chance to expire/remove dereferenced segments.
03-26-2015 04:55 AM
Hi SDO,
So basically all content would consider new, and won't dedupe? Have you seen this happen, any notes?
03-26-2015 05:11 AM
Well, my understanding is that, post enablement of encryption at rest - then de-dupe carries on as before - it's just that immediately after enabling encryption at rest (and restarting PureDisk) then any segments which may have previously been eligible for dedupe will not no longer match because they are now encrypted. However, subsequent encrypted segments which do match will de-dupe. I guess it's bit like having your MSDP pool fill up from new again.
Not actually seen it. No notes. Was warned about it verbally from a Symantec person, who also recommended (obvious now) that when considering enabling encryption at rest, that it should be done/actioned/implemented before using the MSDP pool in earnest.
03-26-2015 05:46 AM
Makes sense if you think about it. Thanks
03-26-2015 06:09 AM
And thinking further - this means that MSDP is going to experience increased workload (de-referencing) and increased IO (dereferencing and removing) - until all of the old unencrypted dereferenced segments have been removed... so an MSDP pool may appear to run slower - but any 'apparent' slowness cannot be solely attributed to the CPU impact of having enabled encryption - until all of the the old unencrypted segments have been expunged. Only after this will any 'CPU' overhead of encryption become slightly clearer.
I have also been told that the CPU and RAM impact of enabling MSDP encryption at rest within a NetBackup Appliance is fairly low - because the CPUs encrypt in hardware - and because the segments and fingerprints are in RAM when encryption occurs. As for the impact on other 'roll your own' installations of MSDP, no-one can comment, unless you check the server specs in detail.
03-26-2015 07:42 AM
hi SDO,
So you mean we should implement MSDP encryption before creating MSDP pool & then there will not be any impact on de-dupe ratio , no overburned on media server and no backup slowness issue ?
I have physical media server which has 2 octa core CPU , 2.6 GHZ , 256 GB RAM.
03-26-2015 09:43 AM
1) So you mean we should implement MSDP encryption before creating MSDP pool & then there will not be any impact on de-dupe ratio
Yes, but it's not so much about before "creating" the MSDP pool, it's more about before "using" the MSDP pool.
But remember, if you do enable encryption at rest AFTER the MSDP pool has ingested backup data, then after the last of the unencrypted segments have been expunged, then there shouldn't be any difference with de-dupe ratios.
2) no overburned on media server
I do not understand "overburned". Please explain?
3) and no backup slowness issue ?
Apologies, I did not mean to imply that it "would" definitely go slower, just that it "might" or "might not" go slower for a while or forever. In truth, I don't know. If your server and environment and configuration are all top notch - then you may never notice any CPU or performance impact from enabling MSDP encryption at rest.
4) I have physical media server which has 2 octa core CPU , 2.6 GHZ , 256 GB RAM.
Sounds like it should be more than capable - but if the disk storage is slow, then MSDP disk IO will be slow.
03-26-2015 10:00 AM
Thanks a lot for clarity SDO. I will ensure to implment MSDP encryption before creating MSDP Pool.
I have only disk based backup option , So i wanted to be sure tha MSDP does de-dupe at best level.
2) no overburned on media server
I do not understand "overburned". Please explain?
I wanted to say , will MSDP encryption put any kind of load on media server ?
One last thing -- if in case , encryption creates backup slowness issue and I have to remove it, is it possible to remove encryption? if yes , then after removing it , encrypted data needs to first purge before unencrypted data gets backed up to get the best de-dupe ratio ?
03-26-2015 10:49 AM
Thanks a lot for clarity SDO. I will ensure to implment MSDP encryption before creating MSDP Pool.
I have only disk based backup option , So i wanted to be sure tha MSDP does de-dupe at best level.
2) no overburned on media server
I do not understand "overburned". Please explain?
I wanted to say , will MSDP encryption put any kind of load on media server ?
One last thing -- if in case , encryption creates backup slowness issue and I have to remove it, is it possible to remove encryption? if yes , then after removing it , encrypted data needs to first purge before unencrypted data gets backed up to get the best de-dupe ratio ?
03-26-2015 11:18 AM
03-30-2015 09:46 AM
FYI - There is some good useful info re encryption, in this recently published doc:
https://www-secure.symantec.com/connect/articles/nbu-76-blueprint-security-feb-2015