VOX

Hello David,

How do we check whether already encryption is configured for disk pools?

Ho @Dav1234 

For MSDP look at the properties of the storage server (there are fields for encryption and another for KMS enabled encryption). If they are 1 it means the feature is enabled. 

For Advanced DIsk I believe the storage server type will show as AdvancedDisk_crypt rather than simply AdvancedDisk.

David

Hello David,

I checked and both encryption options are disabled (set to 0)

If we set encryption now then only upcoming backups will be encrypted? right?

what about previous backups? we will not face any issue if any restore request came?

And any performance related issues chances after enabling encryption means have you faced any performance related issues after enabling encryption in middle?

@Dav1234 

I have not heard any case so far impacting performance after enabling KMS.

no issues with existing data for restore except for the fact that it will remain be unencrypted.

Hi @Dav1234 

Firstly @pats_729 is correct, the load on the appliance is negligible (you would not notice it). 

As for future backups, they will not necessarily become encrypted (and probably wont). As we have said, only new data segments (to the pool) will be encrypted. So if you perform a backup of an something already in the pool you might get (say) 95% deduplication rate - this means that only the 5% of the data that wasn't already in the pool and this will be encrypted. The rest will remain as the existing unencrypted data segments (and will continue like this until the data segments no longer have any backups referencing them.

David

Hello David,

Thank you for information.

And it's quite impossible that existing data segment references will be cleared out because we have this setup since 1st day and previous data reference reference should be there...

So, is encryption is really recommended or its really required?

Hi @Dav1234 

Whether encryption is recommended or required, I can't say. The answer will depend on your environment and the security requirements of the data you are protecting.

Also, unlike tapes which are often sent offsite, your appliance will most likely live in a secure data center, so is less likely to be stolen/compromised. 

Finally if a drive in the appliance needs to be replaced, remember a single drive is simply part of a raid volume (so the data on this would be difficult to extract with meaning). Then the data in an MSDP pool is segmented as well, so extracting anything useful would be a challenge (IMHO) though I can't say not impossible.

What I will say is that if your circumstances require all data at rest to be encrypted, then this should be done from the creation of the disk pool, not some time after you havse been writing data (unencrypted) into it.

Hope that helps
David

Hello David,

we have 6 appliance and on 4 appliance i have seen that Optimized-duplication encryption is set to 1 but ENCRYPTION is set to 0.

Is this recommended settings?

what is the use of Optimized-duplication encryption?

Hello David,

Is enabling encryption for all backups on a MSDP can negatively impact backup and restore performance?

HI @Dav1234 

There of course is some performance impact to enabling encryption. However it is unlikely, as already has been said by @pats_729, that you would notice anything.

David

Hello David,

on target storage server this option OPTDUP_ENCRYPTION should be enabled only then duplicated/replicated data will be encrypted at target server?

The OPTDUP_ENCRYPTION setting affects the source storage server.

Setting it on the target storage server would not affect data being received by it.

Have you review the relevant sections of the NetBackup Deduplication Guide?

Hello David,

Thank you for clarifying this that this setting needs to enable at source storage server and not need to enable at target storage server.

Yes, i have gone through the document and have this doubt. Thank you for clarity ...