Chat now with support
Chat with Support

NetVault 13.0 - Built-in Plug-ins User Guide

Using Plug-in for Encryption

Using Plug‑in for Encryption
About Plug-in for Encryption
Encryption strategy overview
Configuring default settings
Encrypting all backups
Performing job-level encryption

About Plug-in for Encryption

About Plug-in for Encryption

NetVault offers three encryption options:
CAST-128: CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 to 128 bits, but only in 8-bit increments.
CAST-256: CAST-256 uses the same elements as CAST-128, but it is adapted for a block size of 128 bits — twice the size of its 64-bit predecessor. Acceptable key sizes are 128, 160, 192, 224 and 256 bits. CAST-256 is composed of 48 rounds, sometimes described as 12 “quad-rounds”, arranged in a generalized Feistel network.
AES-256: Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard consists of three block ciphers, AES-128, AES-192, and AES-256. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively.
 
* 
NOTE: The CAST-128 and CAST-256 encryption algorithms do not comply with the requirements of the United States Federal Information Processing Standard (FIPS). These algorithms are provided for the restoration of legacy data. For FIPS compliance, use the AES-256 algorithm.

These options encrypt and transfer data across the network to the backup device, where the data remains encrypted until restored to the client. If encryption is only required for secondary storage, job-level encryption offers the choice of encrypting only the secondary copy while the primary backup remains unencrypted to shrink the backup window. When using disk-based storage devices, job‑level deduplication allows you to separate deduplicated from nondeduplicated unencrypted data for optimal deduplication ratios and performance.

For a list of NetVault Plug-ins that are incompatible with the Plug‑in for Encryption, see the respective release notes.

Encryption strategy overview

When defining an encryption strategy, you must determine the following:
Which backups are encrypted.
Which encryption algorithm is required.
Whether encryption is required for primary backups or secondary backups.
Whether encryption is enabled for all backups or on a per-job basis.

Selecting which backups to encrypt

NetVault performs software-based encryption. The backup stream is encrypted using the selected algorithm by the NetVault Server or Client for which the plug-in is enabled. The encrypted data stream is transferred over the network to the backup device where it remains encrypted. During restore, the encrypted backup is transferred from the backup device to the targeted NetVault Client, where the plug-in completes the decryption.

Figure 1. Encrypted backup and restore path

The backup encryption and decryption processes are performed by the plug-in on the NetVault Server or Client. These processes use resources on the machine. The encryption process lengthens the time it takes to perform backups, while the decryption process lengthens the time it takes to perform restores. The impact to the performance of the client, backup window, and restore time should be considered when deciding which backups must be encrypted. In summary, backups should only be encrypted when security requirements outweigh the impact to performance, backup windows, and restore times.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating