cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

NetBackup MSEO Datastore protection question

Help_Desk_14
Level 2

‎04-23-2009 01:20 PM

Hello,

Playing with MSEO 6.1 and getting ready to implement it. It's going well, but one last thing is making me hold off on it; proper MSEO Datastore protection.

The user guide says be sure to backup the datastore regularly unencrypted because if you lose your keys (including the keys to decrypt the datastore backup) you are sol. That makes sense.

My problem is if I perform an unencrypted backup of MSEO to a tape that goes offsite (possibly with other MSEO encrypted data on it as well), if that box of tapes gets lost in transit, it contains my unencrypted MSEO backup that can easily be restored by someone else.  That along with other MSEO encypted tapes in that box and all of my encrypted data is open for whoever finds it. Right?

Or say I perform a unencrypted backup (or export of my licenses) and keep locally, in a disaster recovery scenario, locally isn't there anymore. All I would be left with was encrypted offsite tapes with no licenses to decrypt. Right?

Am I just confused or missig some glaring point?

I suppose it's all about balancing the risks involved and deciding which one we can live with.

Any advice, pointers?


0 Kudos
3 REPLIES 3

Help_Desk_14
Level 2

‎04-24-2009 08:18 AM

Ok, for anyone interested (doubtful), I think I came up with a solid plan.

I am going to regularly backup the MSEO data using standard client encryption. So it will be encrypted on the tape.

I will also be backing up the client encrytpion key files using this same encryption; against Symantec's recommendation.

If we ever need to restore the MSEO data from that tape and don't have access to the client encryption keyfile to perform the restore, we can re-generate the keyfile using the passphrase used to originally generate it.

I will of course be copying all of this data to other locations in our enviroment unencrypted to allow for easy restores.

I will also be testing this before implementing.
0 Kudos

maheshes
Level 3
Employee

‎06-11-2009 02:07 AM

Have a normal backup of the following /opt/vormetric/cgsb/server/db/  folder for unix with maximum possible retention.

This folder contains all of your keys/policy etc which are critical for MSEO to function.

you can also have a tar of the same for emergency purpose.


Note -  We should not forget the password for the keys created else the encypted data cant be recovered.

0 Kudos

Reagan
Level 5
Partner Accredited Certified

‎08-28-2009 04:11 PM

The recommended way to backup the MSEO keys and configuration on the MSEO server is to use the MSEO export utility, which copies the keys and configuration to a specfied folder with password protector.  To import the configuration and keys, the password is required.

I'm thinking the best way would be to copy the exported contents of the folder to a CD-ROM with the password and lock it into an offsite vault.  Keep it seperated from the off-site backup tapes for added protection.       


0 Kudos