Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Backup Exec 2010 R3 - Encryption advice/query's/questions

Created: 04 Jun 2013 | 3 comments

Hi, I have some questions/queries around using encryption & how it ties in with the data backed up to tape by a particular server.

Our backup server is a Windows 2008R2 Server running BE 2010 R3, tape hardware is a Dell LTO4 autoloader.

We backup VMWare VM’s, also data held on Windows servers using RAWS & ADBO, ALL data is pre staged to disk prior to being backed up to tape.

All ‘jobs’ are based on a policy from which the actual backup job takes its settings from.

Q: Am I able to encrypt only selected backup jobs by way of a tick box, or will I need to create a new policy & use this to ‘select’ encrypted B2T jobs? Or is it that if encryption is enabled it’s an all or nothing, i.e. you use it or you don’t?

Q: Some of our jobs use hardware compression (when backing up to tape), is it advisable to use this at all?

Q: Has anyone had any experiences with either hardware encryption or software encryption? I’m aware that hardware uses the tape drive (being that we have LTO4, I believe this is ok!?) & software uses the ‘server’ or client, but has anyone had specific problems, or used either option over the other?

Q: How much overhead does encryption put onto a backup? Is it possible to quantity this in a rough %’age?

Q: If I were to restore data from a tape backup that was encrypted, would I need to put in my password each time, or is that the server in question ‘knows’ the tapes and allows the restore to take place?

Q: If I were to restore from another server (Same OS/BE version) am I able to restore by inputting a password, or do I need to install the encryption key on the server? Is it possible to export / import keys to other servers of the same software?

If this is all covered by a KB or a guide, please accept my apologies & point me in the right direction if you could. Or if anyone has any good information about using encryption, I’d be very grateful if you could share it.

Thanks in advance.

Operating Systems:

Comments 3 CommentsJump to latest comment

pkh's picture

To use encryption, you need to go to Tools ---> Options ---> Network and Security to create the encryption key.  You can create as many encryption keys as you like.

To use encryption in your job, click on Network and Security and you would be able to select one of the encryption keys that you have created previously.  You can also select hardware or software encryption.  These selection are done on a job level.  If you are using a policy, these encryption options are available on a template level.

Encryption will definitely slow down the job.  Using hardware encryption will help a bit.

When you restore encrypted data, you can either create the key with the correct passphrase in the media server before doing the restore or just do the restore and BE will prompt you for the passphrase.  You cannot export/import encryption keys, but you can create them if you remember the passphrase.  If you loose the passphrase, there is no way to recover the encryption key and thus your encrypted data will be inaccessible.

VJware's picture

Regarding ~ Q: Some of our jobs use hardware compression (when backing up to tape), is it advisable to use this at all?

I would prefer software compression with encryption rather than hardware compression. However, compression + encryption wil ldef slow down the job.

Verbatim from HOWTO73389

Symantec recommends that you avoid using hardware compression with software encryption. Hardware compression is performed after encryption. Data becomes randomized during the encryption process. Compression does not work effectively on data that is randomized.

Regarding ~ Q: If I were to restore data from a tape backup that was encrypted, would I need to put in my password each time, or is that the server in question ‘knows’ the tapes and allows the restore to take place?

If the keys is specified as "restricted", then you would need to enter the passphrase during the restore. Else, if the key is specified as "common", then anyone on that media server can restore the data without inputting the passphrase.

pkh's picture

If you want both compression and encryption, you should either do both software encryption and compression or both hardware encryption and compression.  Do not use software compression and hardware encryption or the other way round.

I normally use hardware compression and encryption and found that hardware encryption with or without compression takes about the same time.

Hardware compression and encryption is preferred over software because the encryption and compression is done by the tape drive, saving machine cycles on the media server.