Video Screencast Help

NetBackup 7.1 Deduplication with Encryption

Created: 04 Jun 2012 • Updated: 05 Jun 2012 | 3 comments

Hi all,

  I was going through the NetBackup documentation on deduplication for 7.1 (Netbackup_Dedupe_Guide.pdf) and I'm looking for the behavior of encrypted data going from the deduplication pool to tape.  According to the documentation:

The following is the behavior for the encryption that occurs during the
deduplication process:
If you enable encryption on a client that deduplicates its own data, the client
encrypts the data before it sends it to the storage server.
The data remains
encrypted on the storage.
Data also is transferred from the client over a Secure Sockets Layer to the
server regardless of whether or not the data is encrypted. Therefore, data
transfer from the clients that do not deduplicate their own data is also
■ If you enable encryption on a load balancing server, the load balancing server
encrypts the data. It remains encrypted on storage.
If you enable encryption on the storage server, the storage server encrypts
the data. It remains encrypted on storage.
If the data is already encrypted, the
storage server does not encrypt it.

Now, it sounds like if I encrypt before going to the deduplication pool, I will have encrypted data if I duplicate that image onto tape (either via SLP or Vault).  However, if I enable encryption on the storage server, it says that the storage server encrypts the data and it "remains encrypted on the storage."  But what happens if I copy the data to tape via SLP or a Vault?  Will it remain encrypted?  I want to ensure that my offsite tapes will be encrypted.

Comments 3 CommentsJump to latest comment

cbode's picture

I would expect your MSDP to unecrypt it as it creates the tape copy requiring you to use MSEO.  You can validate how it behaves by creating a tape and then trying to import it into another NBU domain with know knowledge of the MSDP or KMS of the originating domain.

Yasuhisa Ishikawa's picture

Encryption detailed in this guide called "Deduplication Encryption" is processed in Deduplication plug-in(PureDisk plug-in). This type of encryption is kept in PureDisk world only, and can not bring this data outside.

Duplication to outside configured, duplicated data must be unencrypted inline. If you want to let it encrypted, you must configure encrytion for destination using KMS or MSEO. In this scenario, data in MSDP is unencrypted at read, and encrypted using KMS or MESO at write.

Authorized Symantec Consultant(ASC) Data Protection in Tokyo, Japan