How to configure NetBackup Client Encryption Option

Description

The NetBackup client encryption option is best for the following:

• Clients that can handle the CPU burden for compression / encryption
• Clients that want to retain control of the data encryption keys
• Situations where the tightest integration of NetBackup and encryption is desired
• Situations where encryption is needed in terms of a per client basis
• When NetBackup client-side encryption only option available is 128-bit encryption

Follow steps below to configure NetBackup client encryption option and steps to verify if NetBackup client encryption is already enabled.

This can be confirmed by checking for the following files on the client:

Windows Client:

install_path\NetBackup\share\version_crypt.txt
install_path\NetBackup\share\ciphers.txt
install_path\NetBackup\bin\bpkeyutil.exe

UNIX/Linux Client:

/usr/openv/share/ciphers.txt
/usr/openv/share/version_crypt
/usr/openv/netbackup/bin/bpkeyutil

Note: If these files are not present, then the NetBackup client-side encryption binaries need to be pushed to the NetBackup client from the NetBackup Primary/Master server.

To confirm the encryption binaries are available on the Primary/Master server, check for the following directory:

Windows Primary/Master:

install_path\NetBackup\crypt

UNIX/Linux Primary/Master:

/usr/openv/netbackup/crypt

If this path is there, the following command can be used to push the binaries to the client:

1. Push the encryption binaries to the client using the following command on the Primary/Master:

Windows:

install_path\NetBackup\bin\bpinst -ENCRYPTION <client name>

Note: By default Windows machines have NetBackup Client Encryption binaries installed.

UNIX/Linux:

/usr/openv/netbackup/bin/bpinst -ENCRYPTION <client name>

Notes:

• The encryption binaries must already be installed on the Primary/Master server.
• Starting with NetBackup 7.0, the encryption binaries are automatically installed on the Unix/Linux clients.
• It is required to have the client running the same version of NetBackup as the Primary/Master server.
• It is also recommended to have them patched to the same level.

2. Install the license keys for encryption on the Primary/Master server.

3. Create an encryption key file on the client by running the following command on the client (or on the Primary/Master server with the -client option):

Windows:

install_path\NetBackup\bin\bpkeyutil -client <client name>

UNIX/Linux:

/usr/openv/netbackup/bin/bpkeyutil -client <client name>

Example output:

Enter new NetBackup passphrase: **********
Re-enter new NetBackup passphrase: **********

Caution: It is important that you remember the pass phrases, including the old pass phrases. If a client's key file is damaged or lost, you need all of the previous pass phrases in order to recreate the key file. Without the key file, you will be unable to restore files that were encrypted with the pass phrases.

4. Verify the following files are on the client:

Windows:

install_path\NetBackup\share\version_crypt.txt
install_path\NetBackup\share\ciphers.txt
install_path\NetBackup\bin\bpkeyutil
install_path\NetBackup\var\keyfile.dat

UNIX/Linux:

/usr/openv/share/version_crypt
/usr/openv/share/ciphers.txt
/usr/openv/netbackup/bin/bpkeyutil
/usr/openv/var/keyfile.dat

Note: The keyfile.dat file is created by the bpkeyutil command.

5. On NetBackup Administration Console In the policy under the Attributes tab there is a selection for Encryption that determines if the backup will be encrypted. Check the check box.

6. In the NetBackup Administration Console, expand NetBackup Management > Host Properties > Clients, double-click on the Client name to launch the Client Properties window. Click on Encryption and Configure this client to be enabled for encryption.

Once the client is properly installed, the full set of encryption ciphers should now be available:

AES-128-CFB
BF-CFB
DES-EDE-CFB
AES-256-CFB