cancel
Showing results for 
Search instead for 
Did you mean: 

Encryption key check

gopi_enovate
Level 4

Hi,

    We have configured software encryption for our servers.

Files can be restored from the client and file restores from few servers work from the master too.
We are not sure if there is a mismatch between encryption password set between master and media server.

 

Can we assume that the encryption password is the same if the digest key phrase is the same for master server and the client?

 

 

Regards,
Gopi.

1 ACCEPTED SOLUTION

Accepted Solutions

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Excellent TN with details, screenshots, etc.. etc..:

DOCUMENTATION: More about the NetBackup Encryption Option - detailed demonstration of encrypted backups, restores, disaster recovery and troubleshooting 
http://www.symantec.com/docs/TECH56759

View solution in original post

6 REPLIES 6

sdo
Moderator
Moderator
Partner    VIP    Certified
If you have the time, please could you provide a little more detail regarding how the encryption was configured, and where - as there are quite a few places/stages within NetBackup where different types of encryption can be configured and/or enabled - and it's not exactly clear what area of NetBackup encryption you are refrring to. Thank you.

gopi_enovate
Level 4

Thanks for your reply.

I m saying about the software encryption in policy attribute.
After creating the policy, an encryption passphrase is created in the client using

bpkeyutil -client <client_name>

And the same has been set in master server.

sdo
Moderator
Moderator
Partner    VIP    Certified

Ok - AFAIK the encryption key for NetBackup Client is only ever stored on the client.  And so, only clients with the same encryption key can ever be restored to.  This will dictate that someone carefull manages and records the use of client side encryption key pass-phrases. 

This TN:

https://support.symantec.com/en_US/article.TECH203420.html

...entitled: "NetBackup Encryption and Key Management Solutions", says this about CE (Client Encryption) on page 3:

"CE uses the most recently generated key to encrypt the data, while all keys can be used for restores. A unique identifier, based on the checksum of the encryption key and the specified cipher (e.g., AES256), is stored in the key file and on the tape. NetBackup reads this identifier off the tape during the restore and sends it to the client. The client matches the identifier to the appropriate encryption key and uses the encryption key to decrypt the data. "

This explains the purpose of 'key digest' that you query.

.

As a side note, are you aware that using Client Encryption will mean that:

1) The backup client data will very likely not de-dupe very well against any other clients data - unless they use the same client side pass-phrase/key.

2) Any backups, or duplications, from this client to tape will not compress at the tape head - and so, if the use of client side encryption is widespread, and you backup or duplicate to tape, then your tape media consumption could increase by anything from 30% to 100%.

3) There are also implications for increased LAN and/or WAN network bandwidth utilisation for any use of NetBackup AIR to replicate the client's backup data.

sdo
Moderator
Moderator
Partner    VIP    Certified

It would seem to me that the use case for Client Encryption is rather limited... to situations where a network link cannot be trusted, or the risks of a wire-tap or network sniffing have serious implications to the business data being protected by backups.  Use of client side encryption is quite rare within a data centre, i.e. where clients, backup servers, LAN and SAN switching, source storage arrays and backup storage are all located within the same access controlled site.

If your intention is to ensure that backup data is encrypted at rest (i.e. on backup target disk, or on tape) then other methods (i.e. NetBackup features for encryption) may prove more useful, more practical, more efficient, and less cumbersome to manage.

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Excellent TN with details, screenshots, etc.. etc..:

DOCUMENTATION: More about the NetBackup Encryption Option - detailed demonstration of encrypted backups, restores, disaster recovery and troubleshooting 
http://www.symantec.com/docs/TECH56759

gopi_enovate
Level 4

Thanks everyone for your replies.