Chat now with support
Chat with Support

NetVault 13.3.2 - Built-in Plug-ins User Guide

Selecting the encryption algorithm

NetVault provides multiple algorithms that can be used to encrypt and decrypt backups. While each NetVault Client can use a different encryption algorithm, all backups from a particular client must use the same algorithm.

The same encryption algorithm that was used during backup must be used during restores. It is possible to use a different algorithm from this point forward than was previously used. However, when restoring backups that used the previous algorithm, the NetVault Server or Client must be configured to specify the algorithm used by the backup to restore data successfully. For example, if previous backups used the CAST-128 algorithm while current backups are using the AES-256 algorithm, the plug-in must be configured on the server or client to use the CAST-128 algorithm when restoring a backup that was taken using that algorithm; otherwise, restore fails.

Encrypting primary or secondary backups

A backup job consists of one or optionally two phases — Primary Backup and Secondary Copy. The primary backup is the backup of data stream to the selected backup device. These backups are performed to local storage devices to enable faster restores. The Secondary Copy is a Duplicate or Data Copy of the primary backup to a different backup device. These backups are targeted to remote disk-based storage devices or physical tape libraries whose tapes are stored offsite for disaster recovery purposes.

Your security requirements dictate whether you require encryption for both the primary backups and the secondary copies. For example, if the security requirements dictate that only the backups that leave the corporate network require encryption (such as those backups stored on physical tapes in a remote location), encrypt the secondary copy backups that target the physical tape libraries. However, if the security requirements dictate that data must be encrypted while it transfers across the network or while it is stored on a disk-based backup device — even if the disk-based backup device is located within the corporate network — encrypt both the primary backup and secondary copy.

Encrypted data does not deduplicate well. Therefore, encrypting only the secondary copy backup is beneficial when the primary backups are performed to storage devices that support deduplication. This approach lets you take advantage of both encryption and deduplication by deduplicating the primary backup and encrypting the secondary copy.

Figure 2. Unencrypted primary backups and encrypted secondary copy backups

Encrypting all or specific backups

The Plug‑in for Encryption lets you enable encryption for all backups on the NetVault Server or Client where a plug-in is installed, or enable encryption only for specific jobs. Encryption can also be enabled only for the primary backup or the secondary copies. This approach lets you take advantage of both encryption and deduplication. For example, you can deduplicate the primary backup and encrypt the secondary copy.

The job-level encryption option can be used in the following situations:
When any plug-in installed on the server or client is incompatible with the Plug‑in for Encryption.
Only specific backups on the server or client require encryption.
Primary backups do not require encryption while secondary backups for offsite protection require encryption.
Primary backups are targeted to storage devices that support deduplication.

The NetVault Server and Client should only be configured to encrypt all its backups in the following situations:
All plug-ins installed on the server or client are compatible with the Plug‑in for Encryption.
All backups from the server or client require encryption.
Both primary and secondary backups require encryption.
Backups are not selected for deduplication.

Configuring default settings

The settings let you determine which backups to encrypt, set your encryption key, and select the algorithm to use.

Encryption algorithm options are configured for each NetVault Client and for the NetVault Server separately. When you configure Encryption on a NetVault Client or in the NetVault Server, the encryption algorithm options available for the running version of NetVault appear.

To configure default settings
1
In the Navigation pane, click Change Settings.
2
On the Configuration page, click Server or Client Settings, as applicable.
3
Under Plugins, click Encryption.
4
Configure the following settings.
 
Setting
Description

Encrypt ALL Backups on this Client

After the Plug‑in for Encryption is automatically installed with NetVault on a client, you can do either of the following:
Encrypt all backups performed for that client.
Encrypt specific backups performed for that client.

To enable encryption for all backups, select this check box. When you enable encryption for all backups, you cannot change the setting on a per-job basis.

For more information about enabling encryption for specific backups, see Performing job-level encryption.

NOTE: To perform job-level encryption for backups originating from a NetVault Server or Client, the plug-in should not be configured for encrypting all backups.

Encryption Key String

Type the string that serves as the encryption key for the NetVault machine.

Different platforms allow varying characters and password lengths. Quest recommends that you use passwords of 32 characters or less. You can use characters from the following set: “A–Z”, “a–z”, “0–9”, and “_”. Key strings that do not conform to these specifications may work on one platform but may be invalid in another environment.

Confirm

Re-type the encryption string here to confirm that it is correct.

Available Encryption Algorithms

Select the encryption algorithm that you want to use for backups and restores. The list includes the following options:

AES256_OLD (non FiPS compliant)
AES256 (FIPS compliant)
CAST256

CAST128

NOTE: For NetVault Clients version 13.0 and earlier, when you select the AES256 option, the built-in NetVault Plug-in for Encryption uses a non FIPS compliant AES-256 encryption algorithm. For NetVault Clients version 13.0 and earlier, the built-in NetVault Plug-in for Encryption does not include a FIPS compliant encryption algorithm option.
NOTE: For NetVault Clients version 13.0.1 and version 13.0.2, the AES256 option instructs the built-in NetVault Plug-in for Encryption to use a FIPS compliant encryption algorithm. For NetVault Clients version 13.0.1 and version 13.0.2, the AES256_OLD (non FIPS compliant) option is not available in the built-in NetVault Plug-in for Encryption. If you are managing a NetVault Client version 13.0.1 or version 13.0.2 and prefer to use the non FIPS compliant AES-256 encryption algorithm, see the troubleshooting section of this guide for details about Enabling non FIPS encryption algorithm on NetVault Clients version 13.0.1 and 13.0.2.
5
To apply the new settings and close the dialog box, click Apply.
 
* 
NOTE: An encrypted backup performed by a plug-in can be restored to either its original location or to a new target machine. In either event, the plug-in must be installed on the target machine and it must be configured as it was when the backup was performed — using the same Encryption Key String and Encryption Algorithm.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating