cancel
Showing results for 
Search instead for 
Did you mean: 

How to see encrypt in my jobs backup?

robertoaxity
Moderator
Moderator
   VIP   

Hello, can you help me? i need image or evidence of encryption of backups at veritas, if my backup has encryption how can I see that, some file on the client or master associated with the client, policy or whatever?

Netbackup 8.3.0.2

Thanks very much

Regards

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @robertoaxity 

Firstly, a glib answer - since you don't know it is probably that the backups are not encrypted. Now how to check this. 

1. For tape, most modern tape drives have inbuilt encrpytion option, it just needs to be enabled. One way is to setup NetBackup KMS and create ENCR_<pools> that use the KMS to enable encryption when writing to tape. It is also possible to an external mechanism to encrypt tapes (in which case NetBackup has no knowledge of this). If you don't have KMS setup, nor any tape pools starting with ENCR_, then you are not using NetBackup controlled tape encryption. If you have a third party mechanism - I cannot tell you how to verify. 

2. For Disk, if the disk is MSDP, then review the storage server properties to see if the encryption filed is set to 1. MSDP can optionally use KMS also which can also be checked in the same place. If the disk is Advanced disk, then you can use NetBackup KMS to encypt data at rest if the pool name starts with ENCR_. 

3. It is possible to enable client-side encryption by selecting the appropriate check box on the policy. 

Hope this helps. 

David

View solution in original post

11 REPLIES 11

davidmoline
Level 6
Employee

Hi @robertoaxity 

How are you encrypting your backups? The answer will determine the method to show the proof. 

Also what level of eveidence do you need? For instance would the stsorage server properties be sufficient to show an MSDP pool is encrypted?

Cheers
David

robertoaxity
Moderator
Moderator
   VIP   

I dont know if my backup are encrypted, so i need see that and how i see the backup encrypted

Okay, let's start at the basics - what devices are you using to store your backups? Are you trying (or wanting ) to encrypt your backups from the client, or just where the backups are stored (disk/tape/cloud)?

Have you review the Security and Encryption Admin guide - this provides much of the background and details how to configure the various options.

robertoaxity
Moderator
Moderator
   VIP   

Hello,

The backup are stored in disk pool and then copie in tape, so example i have a server A in a policy standard all_loca_drives, i need know if this backup job of server A has encrypted or no.

thanks for your help

Hi @robertoaxity 

Firstly, a glib answer - since you don't know it is probably that the backups are not encrypted. Now how to check this. 

1. For tape, most modern tape drives have inbuilt encrpytion option, it just needs to be enabled. One way is to setup NetBackup KMS and create ENCR_<pools> that use the KMS to enable encryption when writing to tape. It is also possible to an external mechanism to encrypt tapes (in which case NetBackup has no knowledge of this). If you don't have KMS setup, nor any tape pools starting with ENCR_, then you are not using NetBackup controlled tape encryption. If you have a third party mechanism - I cannot tell you how to verify. 

2. For Disk, if the disk is MSDP, then review the storage server properties to see if the encryption filed is set to 1. MSDP can optionally use KMS also which can also be checked in the same place. If the disk is Advanced disk, then you can use NetBackup KMS to encypt data at rest if the pool name starts with ENCR_. 

3. It is possible to enable client-side encryption by selecting the appropriate check box on the policy. 

Hope this helps. 

David

robertoaxity
Moderator
Moderator
   VIP   

Hello David,

1. For tape, most modern tape drives have inbuilt encrpytion option, it just needs to be enabled. One way is to setup NetBackup KMS and create ENCR_<pools> that use the KMS to enable encryption when writing to tape. It is also possible to an external mechanism to encrypt tapes (in which case NetBackup has no knowledge of this). If you don't have KMS setup, nor any tape pools starting with ENCR_, then you are not using NetBackup controlled tape encryption. If you have a third party mechanism - I cannot tell you how to verify. 

I have the nbkms process run in the master server but i dont have any volume pool with ENCR.

2. For Disk, if the disk is MSDP, then review the storage server properties to see if the encryption filed is set to 1. MSDP can optionally use KMS also which can also be checked in the same place. If the disk is Advanced disk, then you can use NetBackup KMS to encypt data at rest if the pool name starts with ENCR_. 

The MSDP Disk are a PureDisk of 70TB in appliance 5240 veritas, but i dont see the encryption filed in this msdp, so i dont know if on or off.

2022-12-12 19_46_51-Window.png

3. It is possible to enable client-side encryption by selecting the appropriate check box on the policy. 

This mean check the option "Encrytion" in the policy backup?

Hi @robertoaxity 

Okay - if you have no tape/media pools starting with ENCR then you are not using NEtBackup to encrypt the tapes. It is still possible that this is happening, but I cannot guide you on how to determine. 

For the disk pools, review teh storage server properites (under credentials). See below for an example (where encryption is NOT enabled. The highlighted items are of interest - and encryption needs to be 1 to be enabled,, and optionally kmsenabled for better security. This will indicate if the pool has encryption enabled. 

davidmoline_0-1670887730286.png

Since you are using MSDP, then I would not recommend enabling client-side encryption in the policy as this would adversely affect the storage utilisation in the disk pool (the deduplication ratio would drop significantly) 

Cheers
David

Hi @robertoaxity 

If you need to prove that the data segments in MSDP are actually encrypted, then review my post from this thread. The process is relatively straight forward, but to prove every segment in a backup is encrypted will take some doing (remembering each backup is segmented into by default 64k blocks, and each block needs to be encrypted). 

https://vox.veritas.com/t5/NetBackup/About-encryption-of-NBU8-2-Cloud-Catalyst-by-KMS/m-p/891085

The post relates to cloud catalyst, but the same process can be used for local MSDP.

Cheers
David

robertoaxity
Moderator
Moderator
   VIP   

David,

In storage server i dont see the option encryption, so that mean i dont have encryption in msdp?

2022-12-12 21_07_20-Window.png

 

Hi @robertoaxity 

That's strange that no encryption settings are shown, but your assumption would be correct that you do NOT have encryption enabled. Let me spin up a 8.3 environment to view what it looks like (the example I provided is from NetBacup 10.1, but looks similar on all the other version that I recall). 

If the MSDP was not setup with encrpytion from the get go, then it is not really possible to turn it on and expect things to be encrypted (the reason is existing data segments will remain unencrypted while they remain in the pool). 

With NetBackup 10.x, it is now possible to enable encryption and convert the entire pool (over time). Possibly a good reason to upgrade. 

David

robertoaxity
Moderator
Moderator
   VIP   

Thank you very much david for the help, indeed the encryption was not enabled.

Regards