Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

tape only encryption for duplicate to tape jobs

Created: 02 Oct 2012 | 4 comments
KG99's picture
2 Agree
0 Disagree
+2 2 Votes
Login to vote

I would like to see the function available to only do encryption on tapes. My understanding from tech support is that to encrypt a duplicate to tape job I must first enable encryption on the deduplication store. The data gets encrypted when backed up to the dedupe store and then the duplicate to tape backs up the encrypted data to tape. I don't need the extra headaches associated with encryption when backing up to disk. I don't need the data encrypted on the dedupe store. I only need the data encrypted on the tape. I don't want to do backups directly to tape.

My understanding is that this was available functionality in 2010 and was lost during the 2012 rewrite.

Idea Filed Under:

Comments 4 CommentsJump to latest comment

CraigV's picture

...if this was lost during the BE 2012 rewrite, and is valid, with enough votes it might actually be considered.

The BE 2012 R2 Beta should be starting so you might also want to hop on that!


Alternative ways to access Backup Exec Technical Support:

Login to vote
KG99's picture

We do D2D2T backups.  The Duplicate to Tape job was the only job that we encrypted.  Tapes that were encrypted before I upgraded to 2012 I can restore data from just fine.  Encrypted Tapes that have been created since the upgrade cannot be restored from.  A message pops up stating that the encryption key is no longer on the system (encryption keys have not changed).  Contacted symantec tech support and was told

For a backup to a backup folder:

"In order to run a duplicate to tape with encryption you have to use software encryption within Backup Exec when backing up to the disk, and then you have to use the hardware encryption that is offered by your tape device." "This is how it always how we have suggested it, but 2012 is where we actually started to require this configuration."

For a backup to a deduplication folder:

"The only option for encryption in that scenario is to enable hardware encryption on the deduplication folder or device.  Here is a tech note that briefly explains the process:"

Login to vote
Colin Weaver's picture

Hmm I am wonderring if a miscommunication has occured with the Technical Support person you worked with. As far as I am aware if you do not need to encrypt the disk phase of your D2D2T process you don't have to even if you do want to encrypt the tape phase. This is independent of whether the disk phase is to B2D or DeDup. As such I am wondering if the technician you spoke to thought you wanted all phases to be encrypted.

With regards the problem where tapes encrypted with 2012 cannot be restored from but tapes created with 2010 can be, if you do not have a support case for this already then get one logged and then see if you can get it escalated to a more senior level for review.

One thing I would suggest is do a one off test with a tape you can overwrite, go straight to tape (not a D2D2T scenario) and use a completely different encryption key (so setup a test key using a different passphrase) and test a backup and restore with that.

If you are still running a key that existed before you upgraded I am wondering if something has corrupted the key within the system during the upgrade.

Login to vote
KG99's picture

My case is still open.  I'll ask him again, but I've tried to clarify it more than once and he is adamant that you have to encrypt to disk before the duplicate to tape.

Login to vote