Understanding and Troubleshooting Random Backup Failures with FIPS Compliant AES-256 Algorithm (4371017)

Understanding and Troubleshooting Random Backup Failures with FIPS Compliant AES-256 Algorithm

Users have reported that backups and restores are slower when using the AES256 encryption option with NetVault 13.0.1 and 13.0.2. The issue is caused by the built-in NetVault Plug-in for Encryption being set to use a FIPS compliant AES-256 algorithm. While the FIPS compliance is a desirable feature for many users, it comes at a cost of significantly slower backups and restores. As a result, some users may find the slower performance unacceptable, especially if they have large amounts of data to backup or restore.

Users have reported issues with the FIPS compliant AES-256 algorithm included in the NetVault Plug-in for Encryption in NetVault 13.0.1 and 13.0.2. The algorithm is very slow, causing backups to take significantly longer than with the non-FIPS compliant algorithm. Some users have reported that a backup that would normally take 5 minutes can take several hours with the FIPS compliant algorithm, which can result in application timeouts, deadlocks, and other related issues. These issues make the FIPS compliant algorithm difficult or unusable for some users.

If FIPS compliance is not required for your backups and you would like to improve backup speeds, you can modify the NetVault Plug-in for Encryption to use the non FIPS compliant AES-256 encryption algorithm. To do so, follow these steps:

1. Navigate to the directory where NetVault software is installed on the NetVault Client.
2. Go to the NetVault config directory.
3. Edit the NetVault config file "encryption.cfg" using a text editor.
4. Look for the stanza [Client:Crypto Algorithm] and add an entry for AES256_OLD.
5. The stanza should now look like this:

[Client:Crypto Algorithm]
Type=Combo
Width=24
Label=Available Encryption Algorithms
Help=Please select an Encryption Algorithm
Help Id=0 Value=AES256_OLD Range=No module selected,AES256,CAST128,CAST256,AES256_OLD
Label Id=7047

6. Save the changes.
7. Restart NetVault services on the NetVault Client.

After following these steps, the NetVault Plug-in for Encryption will be set to use the non FIPS compliant AES-256 encryption algorithm. When modifying encryption options, the algorithm list will let you choose between CAST128, CAST256, AES256 (FIPS compliant), and AES256_OLD (non FIPS compliant). Note that encryption is configured in the NetVault Clients, so these changes should be applied to all NetVault 13.0.1 and 13.0.2 Clients for which FIPS compliant backups are not a requirement, and you prefer to use the non FIPS compliant AES-256 encryption algorithm for improved backup speeds.