One of our customers as a requirement to encrypt backups to tape in three NetBackup Domains, each one with a physical standalone Master/Media Server and a NetBackup Media Server Appliance 5240, the issue is that they need send encrypted backup tapes between those three sites and be able to recover the data on them.
We are going to use the NetBackup Key Management Service (KMS) no external KMS.
I am aware that we can import/export the encryption keys between sites, but I cannot find information about the requirements to recover the data.
What else needs to be configured, what resources must be available (tape drives, etc.) on each domain to allow them to achieve the objetctive of recovering from a complete site failure and restore encrypted backups from tape in a DR site?
Tapes need to be imported on the destination system before data can be restored. KMS data need to be imported before tapes can be imported.
Importing tapes is not a quick task - it takes time. If backup needs to ready for restore right away consider to use MSDP AIR.
We are using MSDP AIR to replicate backups between sites, but the issue is with the backups that are only made to tape in each site, those backups are not made to disk, they run directly to tape and need to be encrypted, then the tapes need to be sent to another site for DR purposes, need to import encryption keys on that site, need to import tapes to the Master Server on that site/domain and make the ready to be used for recovery.
My doubt is if we can import tapes as soon as they arrive on the DR site, to shorten the time to recover from encrypted media?
Can we import tapes to a diferent Master Server in a diferent Domain without any disruption on the catalog?
Each site will have its own reserved volume pool name prefix ENCR.
Yes you can import tapes without disruption to the target catalog but realistically this takes 4-5 hours per tape or even more if compression is not high.
Also beware of NBU KMS limitations on number of keys it can support.
If it's more than 2-3 tapes daily, I'd say it's operationally impractical and will be better solved by an external KMS with key replication across all locations.
The word tape and fast does not go hand in hand. If business requirement is quick recover use MSDP AIR replication between master servers. Note the destination AIR replication can have a short life time than original copy.
Importing a large number of tapes on a day to day basic will be a real pain, and take up tape drive from other tasks.
In my view encryption is not a challenge, it is the speed of witch you can import tapes. Problem is a receiving Netbackup doesn't know what's on the tapes and therefor need a lengthy import process. That problem is solved using MSDP air between master servers.
Hope this clarify :)
If the DR site is common to all three domains, be aware you cannot merge / import KMS to the DR server at the same time.
Or, in other words, if the DR site contained the keys from site A, you cannoy 'merge' the keys from site B at the same time.
There is a way around this.
When ceating the keys at sites ABC, add the pass phrase manually (as opposed to letting NBU make one up). Using the pass phrase and the key tag, you can then recreate the keys on the DR site.