cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure NetBackup Client Encryption Option

Harry_An
Level 3

i am working to enable client encrption in our backup environment and found a link https://www.veritas.com/support/en_US/article.TECH72130 in veritas support site.

there are five steps to enable client encryption base on the document.

How to configure NetBackup Client Encryption Option :
1.  Push the encryption binaries to the client using the following command on the master
2. Install the license keys for encryption on the master server.
3. Create an encryption key file on the client by running the following command on the client
4. On Netbackup administration console In the policy under the Attributes tab there is a selection for Encryption that determines if the backup will be encrypted. Check the check box.
5. In the NetBackup Administration Console, Expand NetBackup Management > Host Properties > Clients, double click to launch client properties window. Click on  "Encryption" and Configure this client to be enabled for encryption.

but i don't understand the step 2 "install the license keys ..." , What license do i need to enable client encryption?
there is no additional license required to enable client encryption in my understanding.

Please hlep me to have a correct information.

Thanks in advance.
Harry

1 ACCEPTED SOLUTION

Accepted Solutions

sdo
Moderator
Moderator
Partner    VIP    Certified

Q1) Do we need to configure any configuration in Tape device to use KMS encryption? if needed, please let me know article for me.

A1) No special configuration of tape library or tape drives is required.  All that needs to be done is to configure NetBackup KMS, which also means the creation of a new tape media pool, and then to also re-configure either one or all of:  policies, schedules, SLPs... to use the new "ENCR_MYPOOL" pool name.  There are several very good posts in this forum on how to configure KMS.

.
Q2) Is there performance issue in master or client server? is encryption performed by tape device?

A2) Not on the master, nor on the media server, nor on the client.  There is a performance penalty at the tape drive head, of about 0.5% average to 1% maximum performance penalty impact.  Some would consider this performance penalty to be negligible.

View solution in original post

5 REPLIES 5

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified
In older versions of NetBackup, Client Encryption was separately licensed. Since NBU 6.5 this feature is included in Standard Client license. If you have added your Standard Client license key(s) on the master you can skip to the next step.

Nicolai
Moderator
Moderator
Partner    VIP   

You should serious consider going for the Netbackup KMS tape based encryption.

http://www.veritas.com/docs/000037336

The client based encryption is software based and only 56 bit. NBU KMS uses built-in hardware in LTO4 and newer and using AES256.

Harry_An
Level 3

Dear  Nicolai,


Thanks for your information.
We are using "HP StorageWorks 1/8 G2 LTO-4 Ultrium 1760 SCSI Autoloader"  and it's should be a best option we can choose.


However i would like to know following.
- Do we need to configure any configuration in Tape device to use KMS encryption? if needed, please let me know article for me.
- Is there performance issue in master or client server? is encryption performed by tape device?


Thanks again.
Harry

sdo
Moderator
Moderator
Partner    VIP    Certified

Q1) Do we need to configure any configuration in Tape device to use KMS encryption? if needed, please let me know article for me.

A1) No special configuration of tape library or tape drives is required.  All that needs to be done is to configure NetBackup KMS, which also means the creation of a new tape media pool, and then to also re-configure either one or all of:  policies, schedules, SLPs... to use the new "ENCR_MYPOOL" pool name.  There are several very good posts in this forum on how to configure KMS.

.
Q2) Is there performance issue in master or client server? is encryption performed by tape device?

A2) Not on the master, nor on the media server, nor on the client.  There is a performance penalty at the tape drive head, of about 0.5% average to 1% maximum performance penalty impact.  Some would consider this performance penalty to be negligible.

Harry_An
Level 3

Dear Sdo Nicolai,

Thank you so much for your explaination. The KMS ecnryption is only the option to me :)
 

Regards,

Harry