How to determine if Netbackup client is performing encrypted backups after setting the Encryption attribute in NetBackup policies.
| Article:TECH150643 | | | Created: 2011-01-28 | | | Updated: 2011-08-16 | | | Article URL http://www.symantec.com/docs/TECH150643 |
Problem
Environment
Netbackup 6.x
Netbackup 7.x
A brief overview of the Encryption feature of Netbackup
- The Encryption attribute determines whether the backup should be encrypted.
- When the server initiates the backup, it passes on the Encryption policy attribute to the client in the backup request.
- The client compares the Encryption policy attribute to the Encryption host properties for the client.
- If the encryption permissions for the client are set to REQUIRED or ALLOWED, the policy can encrypt the backups for that client.
- The encryption of data is always done by the remote client that you are backing up.
- The Netbackup client is capable of of performing encrypted backup but this feature needs to be activated from the Master server.
- Once encryption is enabled (from the Master), the Remote server receives a file called Keyfile.dat and is stored locally on that client.
- During backup, the encrypted data travels over the network and is written to disk or tape.
- During restore, the presence of the Keyfile.dat (on the client) determines if the restore will happen or not.
Solution
How to determine if Netbackup client is performing encrypted backups after setting the Encryption attribute in NetBackup policies.
Method 1:
Create a Test policy and backup a small folder on the client that has been configured to perform encrypted backup.
Verify that the backup completes successfully
Rename the Keyfile.dat within the C:\Program Files\VERITAS\NetBackup\var folder
Try to restore the folder that was backed up earlier.
The job fails with a generic error …
(66.001) INF - TAR PARTIALLY RESTORED 0 FILES
(66.001) Status of restore from image created 2/23/2009 7:43:07 PM = file read failed
(66.xxx) INF - Status = the restore failed to recover the requested files.
however the tar log has the details...
An Exception of type [Symantec::NetBackup::Ncf::InvalidStateException] was thrown. Details about the exception follow...:
Error code = (-1006).
Src file = (Encryptor.cpp).
Src Line = (785).
Description = (Errors in initialisation stage).
[624.4592] <4> tar_base::V_vTarMsgW: INF - tar message received from tar_restore_tfi::processException
[624.4592] <2> tar_base::V_vTarMsgW: FTL - tar file read error
[624.4592] <2> tar_base::backup_finish: TAR - restore: 0 files
Method 2:
Capture the verbose logs of the bpbkar and the bpfilter process on the Client during backup
The log file should have entries specific to encryption
The bpbkar log will have these entries for each file that is backed up….
<4> PackerTAR::startObject(): INF - Data Encryption is turned ON.
<4> PackerTAR::writeEncryptionInfo(): INF - Encryption Type ID = (0)
Method 3:
The header file within the catalogs (those without the .f extension) should have the "Encryption" value set to 1 or 2 (Default is 0)
For Example:
ENCRYPTION 2
|
|
Article URL http://www.symantec.com/docs/TECH150643
Terms of use for this information are found in Legal Notices
Thank you.