VOX

thank you very much for the link, this is really useful.

so I can enable encryption on media server to encrypt the backup data on MSDP pool..right ?

does it requie license ?

Hi,

Yes you can ebable it on the MSDP pool. It does not require a license.

thanks a lot for help.

Pleasure

I have it on good authority that if encryption at rest is enabled in MSDP, then this results in what appears to MSDP to be new versions of de-duped segments - and so, if your pool is low on space - then you could very quickly run out of space.

Extrapolating this, says to me, that if your backup schedules are well established AND your used space is over 49% (assuming you still have the default HWM of 98%) then you run the very real risk of the MSDP filling up and going off-line - before the MSDP pool has had a chance to expire/remove dereferenced segments.

Hi SDO,

So basically all content would consider new, and won't dedupe? Have you seen this happen, any notes?

Well, my understanding is that, post enablement of encryption at rest - then de-dupe carries on as before - it's just that immediately after enabling encryption at rest (and restarting PureDisk) then any segments which may have previously been eligible for dedupe will not no longer match because they are now encrypted.  However, subsequent encrypted segments which do match will de-dupe.  I guess it's bit like having your MSDP pool fill up from new again.

Not actually seen it.  No notes.  Was warned about it verbally from a Symantec person, who also recommended (obvious now) that when considering enabling encryption at rest, that it should be done/actioned/implemented before using the MSDP pool in earnest.

Makes sense if you think about it. Thanks

And thinking further - this means that MSDP is going to experience increased workload (de-referencing) and increased IO (dereferencing and removing) - until all of the old unencrypted dereferenced segments have been removed... so an MSDP pool may appear to run slower - but any 'apparent' slowness cannot be solely attributed to the CPU impact of having enabled encryption - until all of the the old unencrypted segments have been expunged.  Only after this will any 'CPU' overhead of encryption become slightly clearer.

I have also been told that the CPU and RAM impact of enabling MSDP encryption at rest within a NetBackup Appliance is fairly low - because the CPUs encrypt in hardware - and because the segments and fingerprints are in RAM when encryption occurs.  As for the impact on other 'roll your own' installations of MSDP, no-one can comment, unless you check the server specs in detail.

hi SDO,

So you mean we should implement MSDP encryption before creating MSDP pool & then there will not be any impact on de-dupe ratio ,  no overburned on media server and no backup slowness issue ?

I have physical media server which has 2 octa core CPU , 2.6 GHZ , 256 GB RAM.

1) So you mean we should implement MSDP encryption before creating MSDP pool & then there will not be any impact on de-dupe ratio

Yes, but it's not so much about before "creating" the MSDP pool, it's more about before "using" the MSDP pool.

But remember, if you do enable encryption at rest AFTER the MSDP pool has ingested backup data, then after the last of the unencrypted segments have been expunged, then there shouldn't be any difference with de-dupe ratios.

2) no overburned on media server

I do not understand "overburned".  Please explain?

3) and no backup slowness issue ?

Apologies, I did not mean to imply that it "would" definitely go slower, just that it "might" or "might not" go slower for a while or forever.  In truth, I don't know.  If your server and environment and configuration are all top notch - then you may never notice any CPU or performance impact from enabling MSDP encryption at rest.

4) I have physical media server which has 2 octa core CPU , 2.6 GHZ , 256 GB RAM.

Sounds like it should be more than capable - but if the disk storage is slow, then MSDP disk IO will be slow.

Thanks a lot for clarity SDO. I will ensure to implment MSDP encryption before creating MSDP Pool.

I have only disk based backup option , So i wanted to be sure tha MSDP does de-dupe at best level.

2) no overburned on media server

I do not understand "overburned".  Please explain?

I wanted to say , will MSDP encryption put any kind of load on media server ?

One last thing -- if in case , encryption creates backup slowness issue and I have to remove it, is it possible to remove encryption?  if yes , then after removing it , encrypted data needs to first purge before unencrypted data gets backed up to get the best de-dupe ratio ?

Thanks a lot for clarity SDO. I will ensure to implment MSDP encryption before creating MSDP Pool.

• you're welcome.

I have only disk based backup option , So i wanted to be sure tha MSDP does de-dupe at best level.

2) no overburned on media server

I do not understand "overburned".  Please explain?

I wanted to say , will MSDP encryption put any kind of load on media server ?

• ah - overburden !

One last thing -- if in case , encryption creates backup slowness issue and I have to remove it, is it possible to remove encryption?  if yes , then after removing it , encrypted data needs to first purge before unencrypted data gets backed up to get the best de-dupe ratio ?

• yes, you can disable, and yes I would have thought that this will result in a similar situation, i.e. the unencrypted segments will no longer match to, and therefore not de-dupe agianst, the previously encrypted segments.

FYI - There is some good useful info re encryption, in this recently published doc:

https://www-secure.symantec.com/connect/articles/nbu-76-blueprint-security-feb-2015