Chat now with support
Chat with Support

NetVault Plug-in for Standard Encryption 11.4 - User Guide

Encrypting primary or secondary backups

A backup job consists of one or optionally two phases — Primary Backup and Secondary Copy. The primary backup is the backup of data stream to the selected backup device. These backups are performed to local storage devices to enable faster restores. The Secondary Copy is a Duplicate or Data Copy of the primary backup to a different backup device. These backups are targeted to remote disk-based storage devices or physical tape libraries whose tapes are stored offsite for disaster recovery purposes.

Your security requirements dictate whether you require encryption for both the primary backups and the secondary copies. For example, if the security requirements dictate that only the backups that leave the corporate network require encryption (such as those backups stored on physical tapes in a remote location), encrypt the secondary copy backups that target the physical tape libraries. However, if the security requirements dictate that data must be encrypted while it transfers across the network or while it is stored on a disk-based backup device — even if the disk-based backup device is located within the corporate network — encrypt both the primary backup and secondary copy.

Encrypted data does not deduplicate well. Therefore, encrypting only the secondary copy backup is beneficial when the primary backups are performed to storage devices that support deduplication. This approach lets you take advantage of both encryption and deduplication by deduplicating the primary backup and encrypting the secondary copy.

Figure 2. Unencrypted primary backups and encrypted secondary copy backups

Encrypting all or specific backups

After the Plug‑in for Standard Encryption or Plug‑in for Advanced Encryption is installed, you can enable encryption for all backups on the NetVault Backup Server or Client where the plug-in is installed, or enable encryption only for specific jobs. Encryption can also be enabled only for the primary backup or the secondary copies. This approach lets you take advantage of both encryption and deduplication. For example, you can deduplicate the primary backup and encrypt the secondary copy.

The job-level encryption option can be used in the following situations:
When any plug-in installed on the server or client is incompatible with the Plug‑in for Standard Encryption or Plug‑in for Advanced Encryption.
Only specific backups on the server or client require encryption.
Primary backups do not require encryption while secondary backups for offsite protection require encryption.
Primary backups are targeted to storage devices that support deduplication.

The NetVault Backup Server and Client should only be configured to encrypt all its backups in the following situations:
All plug-ins installed on the server or client are compatible with the Plug‑in for Standard Encryption or Plug‑in for Advanced Encryption.
All backups from the server or client require encryption.
Both primary and secondary backups require encryption.
Backups are not selected for deduplication.

Installing the plug-in
Deployment overview
Installing the plug-in
Removing the plug-in

Deployment overview

Figure 3. Deployment overview

The Plug‑in for Standard Encryption or Plug‑in for Advanced Encryption must be installed on all NetVault Backup clients on which the backups should be encrypted. For each client, you must obtain a separate permanent license key. The server and clients can be configured to use different encryption algorithms, except when using the server or client to create encrypted secondary copies.

For example, if a client is configured to use the AES-256 algorithm, and the server is used to create the encrypted secondary copy, the server must also be configured to use the AES-256 algorithm to ensure that the secondary copy backups can be restored by the client.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating