Understand, Plan and Rehearse Ransomware Resilience series - Access and Improve
Ransomware uses stolen credentials to gain access to backup systems and then delete, encrypt or expire the backup data. For more details on how to enable these features, here are theten steps to increase your security posture.12KViews1like0CommentsQuestion on NetBackup and Hardware Tape Encryption
Hello. I recently had to supply "proof" that all backups on tape are encrypted. Since we are using HW encryption, I assumed getting that from the Tape library configuration (Quantum i6). However, that shows encryption being disabled on all drives. I then ran an "images on tape" report for a few arbitrary tapes and saw that the Encryption column was "yes" and the Encryption key" was populated. So I know that the data is encrypted. I do not have the "Ecrypt" attribute turned on, on any policies. So the question is: who is encrypting the data on tape? Quantum is telling me it has to be NB since encryption their admin console shows encryption disabled. I suspect the "disabled" may refer to the Key Management since we do not use Quantum's key management...we use NB KMS (but I did not want to argue with the engineer). When I researched this on Veritas site, I get directed to the Security and Encryption Guide, which outlines how to setup KMS. The section on Encryption options points me back to Quantum since I am using "Third-party encryption appliances and hardware devices". Any insights on this wuld be appreciated.Solved3.9KViews0likes7CommentsDuplicating a hardware encrypted tape to an unencrypted tape
I have an LTO5 tape that has been backed up with hardware encryption. It has a variety of different types of backup sessions (flat files, MS SQL servers, MS Exchange) and I've been given the passphrase, so I've re-created the key and can pull off the flat files without any issue. The client has asked me to create an unencrypted version of the tape (they wish to use various 3rd party tools to extract the SQL and MS Exchange backups), and I've tried doing this with the duplication function, but I can't get it to work. I have a second tape drive in which I've mounted a freshly erased and labelled LTO5. When I try duplicating the original sessions from the encrypted tape onto it, I'm given the option of types of encryption (I chose none) but BE is switching on hardware encryption on the target drive anyway. This is regardless of whether I use DirectCopy, or choose to actually have encryption (which then gives me the option of choosing which key to use). Any ideas? Is there some option or other hidden deep in the bowels of BE that's telling it to encrypt everything it writes to tape by default?3.7KViews0likes11CommentsRestore encrypted SQL database on another server
Hi folks! Recently we applied TDE (Transparent Data Encryption) on some of our SQL databases on an SQL server. Netbackup policies keep working troublefree both for Full and Incremental Backups. Now, we need to perform a restore of one of these databases onto another SQL server where the TDE has been applied as well. I try to make the restore but I got the error with status 2828. Can someone guide me on how to do the restore? Thank you all in advance for the support.Solved3.3KViews0likes3CommentsMSDP encryption
Dear all, I really need your help regarding MSDP encryption. And I am confused about all what I read on the subject. What are my options to encrypt my deduplicated data on MSDP ? We have Netbackup appliance 8.1.1. I understand that I have two options: MSDP native encryption: -backup encrypt:For backups, the deduplication plug-in encrypts the data after it is deduplicated.The MSDPpd.conffileENCRYPTIONparameter controls backup encryption for individual hosts -Duplication and replication encryption :the deduplication plug-in on MSDP servers encrypts the data for transfer. The data is encrypted during transfer from the plug-in to the NetBackup Deduplication Engine on the target storage server and remains encrypted on the target storage. https://www.veritas.com/support/en_US/doc/25074086-127355784-0/v95643059-127355784 My questions: - For MSDP encryption, how it works ? how keys are generated and where are stored(on the client, in the MSDP catalog? file system ?) How to secure these keys ? - We are already backuping data. which means my segments of data are not encrypted. If I activate encryption on my clients, my new segments of data will be encrypted but not the old one ? Am I right ? Is there any solution to backup old data ? KMS with MSDP (available since version 8.1.1): I don't find much information on KMS for MSDP encyption. All I know that it is possible since version 8.1.1 =>https://www.veritas.com/support/en_US/doc/25074086-130388296-0/v130236116-130388296 KMS should be activated during the storage creation. Which means to use KMS and encrypt all my data. I shoul restart backuping all my data. Do you confirm ? have you any information on this ? To sum up, I found the documentation really confusing and I really need your help. Are you using encryption ? What are using for it ? Thank you so much for helping, Regards2.2KViews0likes1CommentBackup Exec 2010 R2 - Tape ejects on catalog / restore / backup
Hi, Were currently have Backup Exec 2010 R2 running at two sites. A production site and a DR site. Tapes are backed up at the production site and encrypted on a LTO4 auto loader (hardware 256Bit AES). When trying to catalog or restore data at the DR site using a stand alone LTO4 drive Backup Exec is just ejecting the media. I suspect this is due to encryption. I have setup the encryption key on the DR install of Backup Exec but suspect it is not working. Does anyone have any ideas what could be going on? Cheers.Solved2.1KViews0likes15Comments