Granular Recovery Technology (GRT) or NDMP resource backups do not encrypt even though software encryption is selected when backup destination is a disk storage.

Problem
 

Granular Recovery Technology (GRT) or NDMP resource backups do not encrypt even though software encryption is selected when backup destination is a disk storage not capable of encrypting.
 

Error Messages
 

GRT and NDMP backup encryption unsupported for one or more Stages. Encryption of GRT and NDMP backups.
It is recommended to use storages that support encryption for Granular Recovery Technology(GRT) enabled backup and NDMP based backup jobs.
You can edit the storage settings or save the job without any changes.
Refer the following technote for more information  about encryption of GRT and NDMP backups (100013045)

Cause
 

GRT-enabled or NDMP resource backup jobs to disk-based storage (not capable of encrypting) are not encrypted by design.

1. When software encryption is enabled, the encrypted backup stream is generated by Backup Exec remote agent. With NDMP option, because the backup stream is generated by NAS devices which support NDMP feature, the stream cannot be encrypted with software level.

2. GRT-enable backup jobs to disk-based storage use the virtual disk API to mount or marge the virtual disk images. (The virtual disk images are stored in IMG folders.) The virtual disk API does not allow to access to software encrypted virtual disk images.

Solution

The GRT-enabled or NDMP resource backup jobs can be backed up to a Deduplication Storage (with encryption enabled), Tape Storage with encryption settings selected, Cloud Storage or OST Storage capable of storage level encryption. These storages can protect backup data at rest from unauthorized access. Non GRT backups can be encrypted to any of the above storage and does not hold the above limitation.

Note: In the case of a non dedupe disk storage (Backup to Disk folder) or Backup Exec dedupe storage (without storage level encryption selected)  if software level encryption is enabled, the backup data is encrypted at a server that uses a Backup Exec Agent and the encrypted data is transferred to the Backup Exec server. The transferred data is decrypted when writing to disk-based storage (not capable of storage level encryption).

The following message is seen when saving the task definition or backup job. It prompts to choose appropriate storage which supports encryption for GRT or NDMP workloads (If GRT or NDMP is enabled for a disk storage which does not support encryption for GRT set). 

Tape Storage, Cloud Storage or OST Storage, Backup Exec Deduplication Storage (with Encryption setting enabled) are capable of encrypting GRT/NDMP data at rest.
 

Note: Forever Incremental (FI) jobs or Instant Recovery (IR) enabled jobs use technology similar to GRT, such as backing up to IMG folders. These jobs also have the same limitations as GRT above.