06-06-2021 08:03 PM
Hello Team,
Master : server: Solaris 10
Version: 8.1.1
Media server : netbackup appliances 5330 and 5340
We have one master server and 3 media server (netbackup appliances). we don't have tape library in our infra.
Can we configure KMS to encrypt data on disk pools? I know we can configure over Volume pools but here we don't have tape library.
If yes, can you please share the technote that contain configuration of KMS for netbackup appliances?
If No, then we can encrypt the data i.e. going to disk pools(netbackup appliances)?
Solved! Go to Solution.
06-16-2021 04:24 PM
Hi @Dav1234
What the OPTDUP_ENCRYPTION = 1 setting means is that data segments sent to a different storage server will be encrypted in flight - this adds an additional layer of protection for that data. Note that these segments will remain encrypted when they land in the target MSDP (the fact they were sent implies that the target pool did not contain this data already - remember that the fingerprint is computed and stored on the unencrytped data).
As to recommended settings - this really depends on your circumstances and requirements around data security. I would suggest that the settings what ever you determine should be consistant across all devices. The additional overhead for encrypting and decrypting each data segment is minimal, so I wouldn't be concerned that you now probably have a mix of encrypted and unencrypted data segments in some disk pools.
David
06-06-2021 08:11 PM
Hello @Dav1234
Yes you can enable KMS for MSDP. Here you can read about the procedures -- https://www.veritas.com/content/support/en_US/doc/25074086-136046435-0/v130372349-136046435
Remember, these steps will not encrypt existing data but any new data will be encrypted onwards.
06-06-2021 08:27 PM
Hi @Dav1234
You most certainly can encrypt your data. However there may be some challenges for you depending on the amount of data you have already protected. I'm assuming here you are referring to MSDP rather than Advanced disk pools. Setting up KMS for MSDP and advanced disk is initially the if you were setting up for tape pools.
For Advanced Disk, refer to the ADdvanced Disk Storage Solutions Guide for details.
For MSDP, encryption is usually configured when you first set up a disk pool and you can optionally choose to use KMS to add further protection to the data. It is possible to enable encryption on an existing disk pool (and here you should refer to the Deduplication Guide for more details - https://www.veritas.com/support/en_US/doc/25074086-127355784-0/v52356307-127355784), but requires you to update some of the MSDP configuration files. You must note though, that once done this will only encrypt new data segments being stored in the pool, there is no way to encrypt existing data in the pool (the only option here is to empty the disk pool and start from scratch - this is the challenge).
If you have the space, you could duplicate images from one MSDP to another to allow you to recreate the MSDP from scratch with encryption enabled.
Cheers
David
06-06-2021 08:50 PM
Hello David,
How do we check whether already encryption is configured for disk pools?
06-06-2021 09:09 PM
Ho @Dav1234
For MSDP look at the properties of the storage server (there are fields for encryption and another for KMS enabled encryption). If they are 1 it means the feature is enabled.
For Advanced DIsk I believe the storage server type will show as AdvancedDisk_crypt rather than simply AdvancedDisk.
David
06-06-2021 09:24 PM
Hello David,
I checked and both encryption options are disabled (set to 0)
If we set encryption now then only upcoming backups will be encrypted? right?
what about previous backups? we will not face any issue if any restore request came?
And any performance related issues chances after enabling encryption means have you faced any performance related issues after enabling encryption in middle?
06-06-2021 09:41 PM
I have not heard any case so far impacting performance after enabling KMS.
no issues with existing data for restore except for the fact that it will remain be unencrypted.
06-06-2021 09:59 PM
Hi @Dav1234
Firstly @pats_729 is correct, the load on the appliance is negligible (you would not notice it).
As for future backups, they will not necessarily become encrypted (and probably wont). As we have said, only new data segments (to the pool) will be encrypted. So if you perform a backup of an something already in the pool you might get (say) 95% deduplication rate - this means that only the 5% of the data that wasn't already in the pool and this will be encrypted. The rest will remain as the existing unencrypted data segments (and will continue like this until the data segments no longer have any backups referencing them.
David
06-10-2021 10:07 PM
Hello David,
Thank you for information.
And it's quite impossible that existing data segment references will be cleared out because we have this setup since 1st day and previous data reference reference should be there...
So, is encryption is really recommended or its really required?
06-10-2021 11:23 PM
Hi @Dav1234
Whether encryption is recommended or required, I can't say. The answer will depend on your environment and the security requirements of the data you are protecting.
Also, unlike tapes which are often sent offsite, your appliance will most likely live in a secure data center, so is less likely to be stolen/compromised.
Finally if a drive in the appliance needs to be replaced, remember a single drive is simply part of a raid volume (so the data on this would be difficult to extract with meaning). Then the data in an MSDP pool is segmented as well, so extracting anything useful would be a challenge (IMHO) though I can't say not impossible.
What I will say is that if your circumstances require all data at rest to be encrypted, then this should be done from the creation of the disk pool, not some time after you havse been writing data (unencrypted) into it.
Hope that helps
David
06-16-2021 02:54 AM
Hello David,
we have 6 appliance and on 4 appliance i have seen that Optimized-duplication encryption is set to 1 but ENCRYPTION is set to 0.
Is this recommended settings?
what is the use of Optimized-duplication encryption?
06-16-2021 04:24 PM
Hi @Dav1234
What the OPTDUP_ENCRYPTION = 1 setting means is that data segments sent to a different storage server will be encrypted in flight - this adds an additional layer of protection for that data. Note that these segments will remain encrypted when they land in the target MSDP (the fact they were sent implies that the target pool did not contain this data already - remember that the fingerprint is computed and stored on the unencrytped data).
As to recommended settings - this really depends on your circumstances and requirements around data security. I would suggest that the settings what ever you determine should be consistant across all devices. The additional overhead for encrypting and decrypting each data segment is minimal, so I wouldn't be concerned that you now probably have a mix of encrypted and unencrypted data segments in some disk pools.
David
06-16-2021 08:00 PM
Hello David,
Is enabling encryption for all backups on a MSDP can negatively impact backup and restore performance?
06-16-2021 08:40 PM
06-16-2021 09:21 PM
Hello David,
on target storage server this option OPTDUP_ENCRYPTION should be enabled only then duplicated/replicated data will be encrypted at target server?
06-16-2021 09:26 PM
The OPTDUP_ENCRYPTION setting affects the source storage server.
Setting it on the target storage server would not affect data being received by it.
Have you review the relevant sections of the NetBackup Deduplication Guide?
06-16-2021 09:38 PM
Hello David,
Thank you for clarifying this that this setting needs to enable at source storage server and not need to enable at target storage server.
Yes, i have gone through the document and have this doubt. Thank you for clarity ...