cancel
Showing results for 
Search instead for 
Did you mean: 

Key management system for data encryption

Dav1234
Level 4

Hello Team,

Master : server: Solaris 10

Version: 8.1.1

Media server : netbackup appliances 5330 and 5340

We have one master server and 3 media server (netbackup appliances). we don't have tape library in our infra.

Can we configure KMS to encrypt data on disk pools? I know we can configure over Volume pools but here we don't have tape library.

If yes, can you please share the technote that contain configuration of KMS for netbackup appliances?

If No, then we can encrypt the data i.e. going to disk pools(netbackup appliances)?

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @Dav1234 

What the OPTDUP_ENCRYPTION = 1 setting means is that data segments sent to a different storage server will be encrypted in flight - this adds an additional layer of protection for that data. Note that these segments will remain encrypted when they land in the target MSDP (the fact they were sent implies that the target pool did not contain this data already - remember that the fingerprint is computed and stored on the unencrytped data).

As to recommended settings - this really depends on your circumstances and requirements around data security. I would suggest that the settings what ever you determine should be consistant across all devices. The additional overhead for encrypting and decrypting each data segment is minimal, so I wouldn't be concerned that you now probably have a mix of encrypted and unencrypted data segments in some disk pools. 

David

View solution in original post

16 REPLIES 16

pats_729
Level 6

Hello @Dav1234 

Yes you can enable KMS for MSDP. Here you can read about the procedures -- https://www.veritas.com/content/support/en_US/doc/25074086-136046435-0/v130372349-136046435

Remember, these steps will not encrypt existing data but any new data will be encrypted onwards.

davidmoline
Level 6
Employee

Hi @Dav1234 

You most certainly can encrypt your data. However there may be some challenges for you depending on the amount of data you have already protected. I'm assuming here you are referring to MSDP rather than Advanced disk pools. Setting up KMS for MSDP and advanced disk is initially the if you were setting up for tape pools. 

For Advanced Disk, refer to the ADdvanced Disk Storage Solutions Guide for details.

For MSDP, encryption is usually configured when you first set up a disk pool and you can optionally choose to use KMS to add further protection to the data. It is possible to enable encryption on an existing disk pool (and here you should refer to the Deduplication Guide for more details - https://www.veritas.com/support/en_US/doc/25074086-127355784-0/v52356307-127355784), but requires you to update some of the MSDP configuration files. You must note though, that once done this will only encrypt new data segments being stored in the pool, there is no way to encrypt existing data in the pool (the only option here is to empty the disk pool and start from scratch - this is the challenge). 

If you have the space, you could duplicate images from one MSDP to another to allow you to recreate the MSDP from scratch with encryption enabled.

Cheers
David

Hello David,

How do we check whether already encryption is configured for disk pools?

Ho @Dav1234 

For MSDP look at the properties of the storage server (there are fields for encryption and another for KMS enabled encryption). If they are 1 it means the feature is enabled. 

For Advanced DIsk I believe the storage server type will show as AdvancedDisk_crypt rather than simply AdvancedDisk.

David

Hello David,

I checked and both encryption options are disabled (set to 0)

If we set encryption now then only upcoming backups will be encrypted? right?

what about previous backups? we will not face any issue if any restore request came?

And any performance related issues chances after enabling encryption means have you faced any performance related issues after enabling encryption in middle?

@Dav1234 

I have not heard any case so far impacting performance after enabling KMS.

no issues with existing data for restore except for the fact that it will remain be unencrypted.

Hi @Dav1234 

Firstly @pats_729 is correct, the load on the appliance is negligible (you would not notice it). 

As for future backups, they will not necessarily become encrypted (and probably wont). As we have said, only new data segments (to the pool) will be encrypted. So if you perform a backup of an something already in the pool you might get (say) 95% deduplication rate - this means that only the 5% of the data that wasn't already in the pool and this will be encrypted. The rest will remain as the existing unencrypted data segments (and will continue like this until the data segments no longer have any backups referencing them.

David

Hello David,

Thank you for information.

And it's quite impossible that existing data segment references will be cleared out because we have this setup since 1st day and previous data reference reference should be there...

So, is encryption is really recommended or its really required?

Hi @Dav1234 

Whether encryption is recommended or required, I can't say. The answer will depend on your environment and the security requirements of the data you are protecting.

Also, unlike tapes which are often sent offsite, your appliance will most likely live in a secure data center, so is less likely to be stolen/compromised. 

Finally if a drive in the appliance needs to be replaced, remember a single drive is simply part of a raid volume (so the data on this would be difficult to extract with meaning). Then the data in an MSDP pool is segmented as well, so extracting anything useful would be a challenge (IMHO) though I can't say not impossible.

What I will say is that if your circumstances require all data at rest to be encrypted, then this should be done from the creation of the disk pool, not some time after you havse been writing data (unencrypted) into it.

Hope that helps
David

Hello David,

we have 6 appliance and on 4 appliance i have seen that Optimized-duplication encryption is set to 1 but ENCRYPTION is set to 0.

Is this recommended settings?

what is the use of Optimized-duplication encryption?

 

Hi @Dav1234 

What the OPTDUP_ENCRYPTION = 1 setting means is that data segments sent to a different storage server will be encrypted in flight - this adds an additional layer of protection for that data. Note that these segments will remain encrypted when they land in the target MSDP (the fact they were sent implies that the target pool did not contain this data already - remember that the fingerprint is computed and stored on the unencrytped data).

As to recommended settings - this really depends on your circumstances and requirements around data security. I would suggest that the settings what ever you determine should be consistant across all devices. The additional overhead for encrypting and decrypting each data segment is minimal, so I wouldn't be concerned that you now probably have a mix of encrypted and unencrypted data segments in some disk pools. 

David

View solution in original post

Hello David,

Is enabling encryption for all backups on a MSDP can negatively impact backup and restore performance?

 

HI @Dav1234 

There of course is some performance impact to enabling encryption. However it is unlikely, as already has been said by @pats_729, that you would notice anything.

David

Hello David,

on target storage server this option OPTDUP_ENCRYPTION should be enabled only then duplicated/replicated data will be encrypted at target server?

The OPTDUP_ENCRYPTION setting affects the source storage server.

Setting it on the target storage server would not affect data being received by it.

Have you review the relevant sections of the NetBackup Deduplication Guide?

Hello David,

Thank you for clarifying this that this setting needs to enable at source storage server and not need to enable at target storage server.

Yes, i have gone through the document and have this doubt. Thank you for clarity ...