Chat now with support
Chat with Support

NetVault 13.0.1 - Built-in Plug-ins User Guide

Selecting the encryption algorithm

NetVault provides multiple algorithms that can be used to encrypt and decrypt backups. While each NetVault Client can use a different encryption algorithm, all backups from a particular client must use the same algorithm.

The same encryption algorithm that was used during backup must be used during restores. It is possible to use a different algorithm from this point forward than was previously used. However, when restoring backups that used the previous algorithm, the NetVault Server or Client must be configured to specify the algorithm used by the backup to restore data successfully. For example, if previous backups used the CAST-128 algorithm while current backups are using the AES-256 algorithm, the plug-in must be configured on the server or client to use the CAST-128 algorithm when restoring a backup that was taken using that algorithm; otherwise, restore fails.

Encrypting primary or secondary backups

A backup job consists of one or optionally two phases — Primary Backup and Secondary Copy. The primary backup is the backup of data stream to the selected backup device. These backups are performed to local storage devices to enable faster restores. The Secondary Copy is a Duplicate or Data Copy of the primary backup to a different backup device. These backups are targeted to remote disk-based storage devices or physical tape libraries whose tapes are stored offsite for disaster recovery purposes.

Your security requirements dictate whether you require encryption for both the primary backups and the secondary copies. For example, if the security requirements dictate that only the backups that leave the corporate network require encryption (such as those backups stored on physical tapes in a remote location), encrypt the secondary copy backups that target the physical tape libraries. However, if the security requirements dictate that data must be encrypted while it transfers across the network or while it is stored on a disk-based backup device — even if the disk-based backup device is located within the corporate network — encrypt both the primary backup and secondary copy.

Encrypted data does not deduplicate well. Therefore, encrypting only the secondary copy backup is beneficial when the primary backups are performed to storage devices that support deduplication. This approach lets you take advantage of both encryption and deduplication by deduplicating the primary backup and encrypting the secondary copy.

Encrypting all or specific backups

The Plug‑in for Encryption lets you enable encryption for all backups on the NetVault Server or Client where a plug-in is installed, or enable encryption only for specific jobs. Encryption can also be enabled only for the primary backup or the secondary copies. This approach lets you take advantage of both encryption and deduplication. For example, you can deduplicate the primary backup and encrypt the secondary copy.

The job-level encryption option can be used in the following situations:

The NetVault Server and Client should only be configured to encrypt all its backups in the following situations:

Configuring default settings

On the Configuration page, click Server or Client Settings, as applicable.
Under Plugins, click Encryption.

Encrypt ALL Backups on this Client

After the Plug‑in for Encryption is automatically installed with NetVault on a client, you can do either of the following:

To enable encryption for all backups, select this check box. When you enable encryption for all backups, you cannot change the setting on a per-job basis.

For more information about enabling encryption for specific backups, see Performing job-level encryption.

Encryption Key String

Type the string that serves as the encryption key for the NetVault machine.

Different platforms allow varying characters and password lengths. Quest recommends that you use passwords of 32 characters or less. You can use characters from the following set: “A–Z”, “a–z”, “0–9”, and “_”. Key strings that do not conform to these specifications may work on one platform but may be invalid in another environment.


Re-type the encryption string here to confirm that it is correct.

Available Encryption Algorithms

Select the encryption algorithm that you want to use for backups and restores. The list includes the following options: AES-256, CAST-128, and CAST-256.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating