How to create, replace or delete an Encryption Key in Backup Exec

Backup Exec provides the ability to encrypt data with encryption keys. When the data on a tape is encrypted, you protect it from unauthorized access. Backup Exec (BE) can encrypt data at a computer that uses the Remote Agent, and then transfer the encrypted data to the Backup Exec server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to a backup-to-disk folder. When Backup Exec is installed, the installation program installs the necessary encryption software on the BE server and on remote servers that use the Remote Agent.

There are some exceptions to encrypting the data at rest. Please refer to  100013045 for more details.





Prompt message - Encryption is not enabled for one or more stages. It is recommended to enable encryption to protect backup data from unauthorized access. Click 'Manage the encryption keys' to set the encryption. After you create an encryption key, the selected key will be set in the job.


A prompt is received from Backup Exec 22.1 if saving the job without encryption. Click 'Manage the encryption keys'  to create/select an encryption key, the Backup job then encrypts the data to storage capable of encryption and storing the data at rest in encrypted form.

 

The following type of data can be encrypted -

- User data, such as files and Microsoft Exchange databases.
- Metadata, such as file names, attributes, and operating system information.
- On-tape catalog file and directory information,

Backup Exec does not encrypt Backup Exec metadata or on-disk catalog file and directory information.

Backup Exec Administrator can set a default encryption key to use for all backup jobs and duplicate backup set jobs. However, it is possible to override the default key for a specific job. When administrators create a Duplicate backup sets job, backup sets that are already encrypted are not re-encrypted. However any unencrypted backup sets can be encrypted.

To create an encryption key, perform the following steps.

1. Go To Backup Exec applet --> Configuration and Settings --> Backup Exec Settings

 

 

2. Go to Network and Security --> Manage Keys
 

 

 

3. Click New


 


3. Complete the appropriate options as follows:


Key name:- Type a unique name for this key. The name can include up to 256 characters.

Encryption type:-  Select the encryption type to use for this key. Your choices are 128-bit AES or 256-bit AES.
The default type is 256-bit AES. The 256-bit AES encryption provides a stronger level of security than 128-bit AES encryption. However, backup jobs may process more slowly with 256-bit AES encryption than with 128-bit AES encryption.

Pass phrase:- Type a pass phrase for this key. For 128-bit AES encryption, the pass phrase must be at least eight characters. For 256-bit AES encryption, the pass phrase must be at least 16 characters.
Note:- Veritas recommends that you use more than the minimum number of characters. You can use only printable ASCII characters.
Confirm pass phrase:- Retype the pass phrase.

Common:- Select this option to make this a common key. If a key is common, anyone can use the key to back up and restore data.

Restricted:- Select this option to make this a restricted key. If a key is restricted, anyone can use the key to back up data, but only the key owner or a user who knows the pass phrase can use the key to restore the encrypted data.


4. Click OK.



 

Replacing an encryption key:
 

You can replace one encryption key with another for all backup jobs and duplicate backup set jobs. To replace an Encryption key, perform the following steps.

 

1. Select the key that you want to replace.

 

2. Click Replace.

 

  

 

  

 

3. In the Select an encryption key to replace "key name" box, do one of the following:

 

-To use an existing key, Select the key from the list.

-To create a new key Click New

 

4. Click OK.
 

 

Deleting an encryption key 

 

You should be cautious when you delete encryption keys. When you delete an encryption key, you cannot restore the backup sets that you encrypted with that key unless you create a new key that uses the same encryption key and pass phrase as the original key.
 

You can delete encryption keys if:
 

1) The encrypted data on the tape has expired or if the tape is retired.
 

2) The encryption key is not the default key.
 

3) The encryption key is not being used in a job. If the key is being used, you must select a new key for the job.
 

4) The encryption key is not being used in a selection list for restore jobs and for verify duplicate backup set jobs. If a key is deleted that is being used in one of the listed job types, the selection list can no longer be used.
 

If an encryption key is deleted that is being used in a scheduled restore job, the key cannot be replaced. Therefore, any scheduled restore job in which an encryption key is deleted fails. To delete an encryption key, perform the following steps.

 

1. Select the key to delete.

 

2. Click Delete. 

  
 

3. Click Yes.

  

 

4. If the key is used in a job, do the following:

- In the Select an encryption key to replace "key name" box, select the new key for the jobs listed.

- Click OK.

 

Note: On a local Backup Exec Deduplication Storage folder, do not enable job level encryption as data may not deduplicate well. Make sure encryption at the BE deduplication Storage level is enabled while configuring the storage.