How to create, replace or delete an Encryption Key in Backup Exec 11d and above

Article:TECH49603  |  Created: 2010-01-10  |  Updated: 2014-05-08  |  Article URL http://www.symantec.com/docs/TECH49603
Article Type
Technical Solution



Issue



How to create, replace or delete an Encryption Key in Backup Exec 11d and above


Solution



Backup Exec provides the ability to encrypt data with encryption keys. When the data on a tape is encrypted, you protect it from unauthorized access. Backup Exec can encrypt data at a computer that uses the Remote Agent, and then transfer the encrypted data to the media server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to a backup-to-disk folder. When Backup Exec is installed, the installation program installs the necessary encryption software on the media server and on remote computers that use the Remote Agent.

Backup Exec encrypts the following types of data:

- User data, such as files and Microsoft Exchange databases.
- Metadata, such as file names, attributes, and operating system information.
- On-tape catalog file and directory information,

Backup Exec does not encrypt Backup Exec metadata or on-disk catalog file and directory information.

Backup Exec Administrator can set a default encryption key to use for all backup jobs, templates, and duplicate backup set jobs. However, it is possible to override the default key for a specific job. Administrators can also use encryption in policies when they create Backup templates or Duplicate Backup Set templates. When administrators create a Duplicate Backup Set template or a duplicate backup sets job, backup sets that are already encrypted are not re-encrypted. However any unencrypted backup sets can be encrypted.

To create an encryption key, perform the following steps.

1. On the Tools menu, click Encryption Keys.

2. Click New (figure 1).

Figure 1.
 

3. Complete the appropriate options as follows:

Key name:- Type a unique name for this key. The name can include up to 256 characters.

Encryption type:-  Select the encryption type to use for this key. Your choices are 128-bit AES or 256-bit AES.
The default type is 256-bit AES. The 256-bit AES encryption provides a stronger level of security than 128-bit AES encryption. However, backup jobs may process more slowly with 256-bit AES encryption than with 128-bit AES encryption.

Pass phrase:- Type a pass phrase for this key. For 128-bit AES encryption, the pass phrase must be at least eight characters. For 256-bit AES encryption, the pass phrase must be at least 16 characters.
Note:- Symantec recommends that you use more than the minimum number of characters. You can use only printable ASCII characters.
Confirm pass phrase:- Retype the pass phrase.

Common:- Select this option to make this a common key. If a key is common, anyone can use the key to back up and restore data.

Restricted:- Select this option to make this a restricted key. If a key is restricted, anyone can use the key to back up data, but only the key owner or a user who knows the pass phrase can use the key to restore the encrypted data.

4. Click OK. (Figure 2)

Figure 2.
 
 
Replacing an encryption key:
You can replace one encryption key with another for all backup jobs, templates, and duplicate backup set jobs. To replace an Encryption key, perform the following steps.
1. On the Tools menu, click Encryption Keys.
2. Select the key that you want to replace. (Figure 3)

Figure 3.
 
3. Click Replace. (Figure 4)

Figure 4.
 
4. In the Select an encryption key to replace "key name" box, do one of the following:
-To use an existing key, Select the key from the list.
-To create a new key Click the arrow, and then click <new encryption key>.
5. Click OK.
 
Deleting an encryption key:-
You should be cautious when you delete encryption keys. When you delete an encryption key, you cannot restore the backup sets that you encrypted with that key unless you create a new key that uses the same encryption key and pass phrase as the original key.
You can delete encryption keys if:
1) The encrypted data on the tape has expired or if the tape is retired.
2) The encryption key is not the default key.
3) The encryption key is not being used in a job or a template. If the key is being used, you must select a new key for the job or template.
4) The encryption key is not being used in a selection list for restore jobs and for verify duplicate backup set jobs. If a key is deleted that is being used in one of the listed job types, the selection list can no longer be used.
If an encryption key is deleted that is being used in a scheduled restore job, the key cannot be replaced. Therefore, any scheduled restore job in which an encryption key is deleted fails. To delete an encryption key, perform the following steps.
1. On the Tools menu, click Encryption Keys.
2. Select the key to delete.
3. Click Delete. (Figure 5)

Figure 5.
 
4. Click Yes. (Figure 6)

Figure 6.
 
5. If the key is used in a job or template, do the following:
- In the Select an encryption key to replace "key name" box, select the new key for the jobs or templates listed.
- Click OK.
Before default encryption key can be replaced, it is necessary to remove the default status of that encryption key.
When removing the default status from an encryption key, manually select an encryption key for new backup jobs, templates, and duplicate backup set jobs. However, default encryption keys remain in place for existing jobs that have been configured to use encryption.
To remove the default status from an encryption key, perform the following.
1. On the Tools menu, click Encryption Keys.
2. Select the default key from the list. (Figure 7)

Figure 7.
 
3. Click Clear Default.
4. Click OK.
 
The Encryption Key Management window will now show the newly created encryption key.



Legacy ID



285881


Article URL http://www.symantec.com/docs/TECH49603


Terms of use for this information are found in Legal Notices