09-10-2013 04:15 AM
Some question for data encryption over client-side deduplication:
1. how the encryption key is created, and where is created?
2. where is the key kept (on the client, media server or master server) and how is the key being managed when encrypted backup gets duplicated to another media server
3. where does the decryption occur when restoring data, specially restoring to a different client host which is not the host that was backed up?
Thank you
09-11-2013 08:24 AM
Please see the NetBackup De-Duplication Guide - there is a section about de-duplication encryption that explains everything : http://www.symantec.com/docs/DOC5187
It is different to the normal client encryption (which if used would prevent any effective de-dupe taking place)
It starts on P34 and has links to all other information that is related which should cover everything for you
Hope this helps
09-11-2013 08:50 AM
Thanks Mark. I've read read through the dedup guide, it did contain some information about dedup encryption, however it doesn't explain how encryption key is being managed, more importantly I can't find useful information about how decryption work when restoring backup, and where decryption is taken place. I am more interested on when restoring backup to and second client host, the encrypted data gets decrypted on the media server or the target client host.
09-11-2013 09:20 AM
I think that may well be an engineering question - i got the impression that it is all inbuilt into MSDP and so where ever you were it would undertsand what was needed and deal with it
As the encryption does not follow to tape it is only valid whilst inside the de-dupe system so does not need anything more
It probably uses the de-dupe password that the system is assigned when de-dupe is configured and encrypts that with the blofish algorithm
09-14-2013 04:58 PM
Do we know where the decryption occur during restore? does the media server (storage server) decryptes the data before restoring to the client, or the client does the decryption?
09-16-2013 01:39 AM
I believe decryption ocurrs at the media server during a restore (as i recall from my earler reading up on this)