cancel
Showing results for 
Search instead for 
Did you mean: 

How to check backups are encrypted in netbackup msdp pool

RaghavTuppathi
Level 3

Good day 

Please advise ,i have enabled Encryption in MSDP Pool, but need to verify if the backups are encrypted or not ?

TIA

5 REPLIES 5

sdo
Moderator
Moderator
Partner    VIP    Certified

davidmoline
Level 6
Employee

Raghav

What @sdo has supplied should ensure that encryption is enabled, although by the sounds of it you have already done this. 

Unfortunately, due to how encryption is enable in MSDP, it is not a simply task to determine if everything is encrypted. This is because the encryption is done at the segment level not full disk encryption. The only sure way to determine if a backup is encryptied would be to use the dcscan command to verify every segment (and this is not really practical nor is it something I would encourage a customers to do).

The other thing to note is that if you enable encryption after you have started using MSDP, then only new data segments (not backups) will be encrypted. Existing segments do not change from being unencrypted. So for an existing backup that deduplicates say 90%, only the 10% of new changed blocks will be encrypted, the remaining 90% will remain unenecrypted. There is no current sensible way to alter this (the only way I know at present is to empty the MSDP and start again).

Cheers
David

Hi David 

i used dcscan command to check the encryption for a client within the policy. but i need a report for all clients where it shows backup is encrypted and this is for Audit purpose.

are you aware of any opscenter reports which can provide this info ?

 

TIA

sdo
Moderator
Moderator
Partner    VIP    Certified

Can I ask for further clarity / detail please:

1) I used dcscan command to check the encryption for a client within the policy.

You seem to be confusing "Appliance encryption at rest" with "backup policy encryption" - these two "encryption options" are completely separate and unconnected in any way shape or form.  Indeed if you apply "backup policy encyption" then you might as well not use MSDP in an Appliance because "backup policy encryption" effectively binary randomises the backup data and utterly defeats dedupe.  And, I thought dcscan was a low level Appliance storage tool to check the consistency and validity of proprietary containers.  I don't know whether dcscan reveals whether encryption at rest is "on" within the Appliance in general, or "on" for specific containers, or parts (contents) of containers... but either way... "backup policy encryption" probably won't show up in a dcscan, but it would show-up as a flag on a detail image list.

2) but i need a report for all clients where it shows backup is encrypted and this is for Audit purpose.

This is not possible from "Appliance encryption at rest".

3) are you aware of any opscenter reports which can provide this info ?

There is no such option to report whether "segments of fragments of images" are encrypted at rest within an Appliance - because "Appliance encryption at rest" is a low level feature hidden away from NetBackup and hidden away from OpsCenter.

@sdo is correct. There is no OpsCenter report, and no easy way to verify that the data at rest in the MSDP storage is encrypted (the only auditiable way, would be to verify every segment). 

One could say this is a missing feature - if you think it needs adding, I'd suggest you complain to your account team. 

One last reminder, MSDP encryption if set works a treat (there is minimal storage penalty using it). However as I mentioned before, if you turn this feature on when the pool is partially populated, only new data segments will be encrypted. Existing data in the pool will remain unencrypted. The only way to ensure the entire pool is encrypted is to emtpy it. 

IMHO, the inability to encrypt data already in a pool is a missing feature which should be added. If you need it please make sure your account team knows that you are unhappy about how this all works (or doesn't).