VOX

any way i can learn how to configure my first working NetBackup Media Server Encryption Option steps?

the guides available online seems vague... after reading it i gain no understanding still.

MSEO working: from Admin guide

During a write operation, the MSEO driver:

ü   Intercepts a NetBackup write request from a media server

ü  Sends the request to a MSEO Security Server for evaluation

ü  If approved, applies encryption and compression algorithms to the data

ü  Passes the data to the tape device, which writes the data to tape. The inverse is true for restoring protected data from a storage medium.

During a read operation, the MSEO driver:

ü  Intercepts a NetBackup read request from a media server

ü  Sends the request and NetBackup metadata to a MSEO Security Server for evaluation

ü   If approved, uses Security Server-supplied keys to decrypt MSEO metadata 

Decrypts the tape data

1) the licenses.  I saw someone else did mentioned that it requires licenses in pair, is that true? 

As per my knowledge you need to purchase MSEO license per server.

2) How the key management of MSEO works, e.g. any way to backup, recover, retire and replicate the keys?  For each MSEO host, how many security keys it can handle? For example, we want to restore some data from two years ago which the key different from current encryption key, what I should do?

During restore you need to use the same key on which you have taken backup else you will not be able to restore any data. It always better to have a backup of the keys.

3) My Master backup server is installed with MSEO server & agent is this correct?

You can install MSEO security server and agent on you master, if your tape drives are configured to master else you can configure only security server. You can also use your existing media servers as a security or agent server.

4) What's the minimal hardware requirements for the MSEO deployment?

Need to check, not sure on this.

5) In the current environment we have about 6 TB for weekly full backup data and 1.4 TB daily incremental backup, and attaches a library with two LTO3 drivers.  For MSEO, what kind of impact it will have on backup performance? How long it will take to encrypt all the data to the tape? 

6) For restore data from the encryption tapes, what the impacts on the restore performance (RTO)?

There is no much impact on the restoration, as it will not going to encrypt complete data only at the starting data blocks a key will be inserted. But if you are going to do any compression then definately it will have effect at the time of backup and also during restores.

7) Speed and encryption type which is better, easier to implement and etc? RSA or AES?

No idea on RSA, we are using AES

8) i have both Netbackup 7.1 and MSEO installed, my backup is running fine but i have no idea how should i go about configuring the MSEO and get it up and running as well. - Everything is configured as default on MSEO do i just check on the "Encryption tab" on my Netbackup and my data will be encrypted in the process?

Until you configure any policy on the security server and MSEO drivers are placed in agent server you will not be able to do any encryption it will be just like a normal backup. Only form this you can read the prior encryption images if you have inserted a proper key in which the key used at the time of backup. 

My suggestion if you are configuing this at the first time then its better to log a support case and get it done properly , its very difficult to understand from the guide.

i received this error while checking the "Encrpytion" in Netbackup 7.1

"necessary extension package is not installed or configured properly(9)"

any idea why? i have installed MSEO agent and server console into my 1 and only server, any idea where did i do wrong ?

oh yes, i have the licence as well.

and anyway, you managed MSEO drivers, what kind of drivers are we referring down here and what kind of "keys" do i have to get to make it right?

i have no problems doing unencypted backups.

thanks

We have a KMS server (running as a VM) which manages the keys and each media server we want to do encrypted backups we have MSEO installed on (and licensed). We do media-server based encryption rather than client based encryption (so the encryption overhead is done by the media servers not by the servers being backed up). We only did some small scale performance testing (with and without encryption) and didn't find it slowed backups or restores down that much (20% at most) but we're only running LTO3's (with 4Gb fibre tape libraries) so I guess if you can push data to tape faster thent he overhead will be greater.

It seems to work pretty well for us, you do need to make sure your keys are protected and backed up though, not sure what options you'll have if you lose them.

It would be nice if Symantec properly developed MSEO though and integrated it better, they basically bought the product off someone and rebranded it without really doing much integration work. I would have thought these days having encrypted backups would be getting increasingly important for enterprises so maybe they'll work on it soon. Support is also a bit of a nightmare for it, there's not really much documentation out there and it's hard getting hold of Symantec techs that have experience with it.

Basically when you open MSEO agent console you should able to see the Tape drives which are allocated to that server and then you will have a option to convert that drives to MSEO i,e. when it converts teh drives as MSEO it mean it will add the respective MSEO driver and if you convert it as non MSEO then it will use the default drivers.

IF you are unabe to see any drives in that consle mean there maight be some issue during installation which hasnt configured properly .

The Encryption checkbox is for CLIENT Encryption and is not used for MSEO.

I have to admit I'm one of those guys that doesn't know anything about MSEO, so here's a link to a document which I hope may help.

Best practices when using the NetBackup Media Server Encryption Option
 http://symantec.com/docs/TECH73132

 

not only that.

they charged us skyhigh for their products yet 0 proper guidelines on how to do it. i google-d like crazy without any feasible solution at all.

the provided documentations around the WWW only covers documentation filled with redundant info for a guy like me ( my policy is to get it up running asap and learn about the exact details later which )... well that's me.

it is a very sad thing and i will probably advise my company to stay away from symantec products.

thanks for all the output.

i managed to get MSEO working moments after i post my last post.

Reason: Encryption should be left unchecked, MSEO runs in the background

anyone can help?

i have no issues encrypting on the main server where the MSEO is installed.

i added the host into the server console of MSEO but apparently it did not encrypt any data.

is there a way to check if whatever that was written is being encrypted successfully ?

nanochan, I see you have started a new thread for this question:
 https://www-secure.symantec.com/connect/forums/how-check-what-does-mseo-actually-encrypted

May I request you mark a solution to close this thread?  (I will blatantly beg for points by offering my post above as the potential solution as it matched your own solution :) )