I never heard of it. hardware license sounds like an oxymoron.

hardware compression come from the library/drives so can't think why NBU licencse would be required for it

The hardware is outside of NetBackup. How would Netbackup even know if the device was compressing the data? Now humans are intelligent beings (well some are) and we can tell if the data was compresed or not.

 you still need a "key" of some sorts to encrypt-decrypt it.

what is this key ?

/usr/openv/netbackup/keyfile

We have IBM LT04 tape drives and a server known as "Encryption key manager" that is the keeper of the keys. The NetBackup pool number enables/disables encryption and also provides which key is used all based from the volume pool number. We have a volume pool for each customer and thus a different key is used for each customer.

http://www-03.ibm.com/systems/storage/solutions/data_encryption/index.html

 http://www.streetdirectory.com/travel_guide/116538/security/ultrium_lto4_backup_tape_drive_encryption.html

 so how or where is the key stashed?

I got a spiltin headache from this cr*p

Ther key is on the Encryption Key Manager server.

 so stump

lets say i encrypt the tape at site 1 and then move the tape to site 2 and try to read the tape, what do I need to read this tape at site 2, I would suspect a key, but where is this key stashed, veritas or the server that is loading the tape into the tape drive must know about the key.

 keymaster

http://www.blisterdirect.com/products/official/images/big/167a4-big.jpg

The key will need to be sent to the secondary site from the originating Encryption Key Manager server to the secondary site Encryption Key Manager server. It can be sent via ftp, rsync, flash drive, whatever.

Keep in mind Jim that I am talking about the solution that I am familiar with which is IBM.

What would be a unique file to serach for on the key server.  Not sure what server here has it installed on.

 another question

we have 4 lto4's in one 000_0000_TLD and 12 LTo2 in the other 00_000_TLD if i upgrade from 6.5.2.to 6.5.3.1 will i run into any snags with licensing volume groups?

 ftp://exftpp.symantec.com/pub/support/products/NetBackup_Enterprise_Server/302438.pdf

yeah here i found it stump

We do not use the master server for key generation and management. We have been encrypting with IBM for over a rear and a half, way before this version of Netbackup became available. I'm surprised that no one else chirpped in to this thread,

raised their hand and said, "I know! I know! Call on me!"

 I should have named this "hardware Encryption with LTO4"

Stump

We are useing this and it works fine.  I just could not figure out how the last admin did it and now I know.

Currently its free, but I dont think its free for long if you know what I mean, I curious if you need a key now.

Now

I have to upgrade from 6.5.2 to 6.5.3.1 and I was curiuos if the upgrade will brake the KMS crap in Netbackup.

Here is a sweet video to watch concerning encryption

https://www-secure.symantec.com/connect/videos/encryption-options-netbackup

IBM have now replaced or superseded EKM (Encryption Key Manager - Free) with TKLM - "Tivoli Key Lifecycle Manager" (surprise surprise, not free, aparently to be charged somehow per TB of data) - http://www-01.ibm.com/software/tivoli/support/key-lifecycle-mgr/

IBM say that EKM is still and will be supported but they do strongly recommend TKLM against EKM due to advanced functionality + a GUI !!  (could this translate to them saying "time for us to make some more money out of this" ? )  
I am not sure when this TKLM was introduced, but it was pretty recently and there aint a great deal of documentation out there ..... I have found this is generally true for ANY tape encryption methods/products, including NetBackup which has the single document  ftp://exftpp.symantec.com/pub/support/products/NetBackup_Enterprise_Server/305408.pdf

You would think that for such a complex and critical component, they would write a little more detail.

I am in the trilema of using KMS, EKM or TKLM ... and would appreciate any input around the three.

In addition I dont have LTO4 drives but IBM TS1120. According to - http://eval.symantec.com/mktginfo/enterprise/other_resources/b-whats_new_in_nbu_6.5.2_and6.5.3_faq_06-2008.en-us.pdf - these are supported but all of the other documentation refers to LTO4 drives only. I will hopefully be speaking soon with a Symantec Encryption guru to clarify this and many other issues I have around encryption.  

We are on 6.5.3.1 and use encryption, but it's not done by the master server.  We are using the client based encryption, but the keys are generated and stored at the master server as well...  No extra license was required to do this.  Looking at the license list in our Master server shows that it is part of the base Netbackup license...