we are planning to enable encyrptin at both MSDP and tape and it should cover at all levels and looking for prerequisites. I am planning to
1) Enable MSDP encryption that should encrypt data from client, at MSDP pool and data replicating to DR site.
2) Enable Netbackup KMS and encrypt data sent to tape.
But do we need encryption license at tape library when enabled KMS or would Netbackup send encrypted data to tape using KMS?
Please advise the best possible option to enable encryption that covers both disk and tape.
No additional licenses are required for what you are trying to do. The NBU Security and Encryption Guide will be your friend.
Note one thing though - you can enable encrpytion for an MSDP pool at any time, however if there are existing data segments (or backups to simplify understanding), then those segments will NOT be encrypted and will remain as is. The only sure way to encrypt the MSDP pool would be to expire every image that exists in the pool first. The reason why the existing segemnts remain unencrypted is due to how data is tranferred - a backup stream is segmented and fingerprinted, if the fingerprint already exists in the pool, other than recording a pointer for the new segment, no data is transferred into the pool and so the existing data remains unchanged.