How to configure NetBackup Client Encryption Option

Article:TECH72130  |  Created: 2009-01-06  |  Updated: 2013-11-07  |  Article URL http://www.symantec.com/docs/TECH72130
Article Type
Technical Solution


Environment

Issue



The NetBackup client encryption option is best for the following:

- Clients that can handle the CPU burden for compression / encryption

- Clients that want to retain control of the data encryption keys

- Situations where the tightest integration of NetBackup and encryption is

desired

- Situations where encryption is needed in terms of a per client basis


Solution



Follow steps below to configure Netbackup client encryption option and steps to verify if Netbackup client encryption is already enabled :-
 
1.  Push the encryption binaries to the client using the following command on the master:
Windows:
 
Note : By default Windows machines have Netbackup Client Encryption binaries installed.

Unix (The encryption binaries must already be installed on the master server):
/usr/openv/netbackup/bin/bpinst -ENCRYPTION <client name>
 
 
Note: Starting with NetBackup 7.0, the encryption binaries are automatically installed on the Unix/Linux clients.

Note :It is required to have the client running the same version of NetBackup as the master server.  It is also recommended to have them patched to the same level.
 
2. Install the license keys for encryption on the master server.

3. Create an encryption key file on the client by running the following command on the client (or on the master server with the -client option):
Windows:
 
<install_path>\NetBackup\bin\bpkeyutil -client <client name>

Unix:
/usr/openv/netbackup/bin/bpkeyutil -client <client name>
-- To do this, cd into /usr/openv/netbackup/bin
-- Then run ./bpkeyutil -client <client name>

Enter new NetBackup passphrase: **********
Re-enter new NetBackup passphrase: **********


Caution:  It is important that you remember the pass phrases, including the old pass phrases.  If a client's key file is damaged or lost, you need all of the previous pass phrases in order to recreate the key file.  Without the key file, you will be unable to restore files that were encrypted with the pass phrases.

4. Verify the following files are on the client:
Windows:
<install_path>\netbackup\share\version_crypt.txt
<install_path>\Veritas\netbackup\share\ciphers.txt
<install_path>\Veritas\netbackup\bin\bpkeyutil
<install_path>\Veritas\netbackup\var\keyfile.dat  
(this file is created by the bpkeyutil command)

Unix:
/usr/openv/share/version_crypt
/usr/openv/share/ciphers.txt
/usr/openv/netbackup/bin/bpkeyutil
/usr/openv/var/keyfile.dat 
 (this file is created by the bpkeyutil command)

5. On Netbackup administration console In the policy under the Attributes tab there is a selection for Encryption that determines if the backup will be encrypted. Check the check box.

6) In the NetBackup Administration Console, Expand NetBackup Management > Host Properties > Clients, double click to launch client properties window. Click on  "Encryption" and Configure this client to be enabled for encryption.



Legacy ID



327475


Article URL http://www.symantec.com/docs/TECH72130


Terms of use for this information are found in Legal Notices