How to manage and protect Encryption keys

Problem

How to manage and protect Encryption keys

Solution

Backup Exec automatically backs up encryption keys data to a CSV file whenever a new encryption key is created or deleted by dumping some information from the encryption keys in a csv file. This csv file is created in the Backup Exec Data folder.

E.g. If Backup Exec is installed at C:\Program Files\Veritas\Backup Exec\, then the data folder is present at “C:\Program Files\Veritas\Backup Exec\Data”

The csv file name is created in following format

EncryptionKeys-<Backup Exec Media Server Name>.csv

For every change in encryption keys (addition or deletion) – data is dumped into the csv file to create automatic backup of the encryption key information that is being used with Backup Exec. The file does not contain sensitive information in it but only information that can be used by Backup Exec admin to re-create a key in case of disaster recovery or a problem with Backup Exec.

The csv file contains data in the following format (below example is just for reference)

SchemaVersion,ProductVersion,MachineName,Name,Type,SaltLength,SaltValue,Restricted

"1.0.0","21.0.1200.2243","MediaServer1","Key1","256-bit AES (PBKDF2)","24","000236ADBF9BB1EB2AEAB296BC3BC8B34243816016E8E56E","No”

"1.0.0","21.0.1200.2243","MediaServer2","Hello128","128-bit AES","16","27F7198AA72B41565F0B293797730388","Yes"

The data that is present has the following information

1.    Schema Version

2.    Product Version (of installed Backup Exec) e.g. 21.0.xxxx.xxxx

3.    Machine Name (this is the media server name)

4.    Name – encryption key name that was entered when user created an encryption key.

5.    Type – the type of encryption key that was added, example - 128-bit AES, 256-bit AES (SHA-2) and 256-bit AES (PBKDF2) type.

6.    Salt Length – This is the salt length of the SALT information that was added with the key, note that Salt is something that gets added randomly by Backup Exec with every encryption key which makes the encryption key unique.

7.    Salt – This is the actual SALT value that is added for the key, this is very important to recreate a particular key that was used for a device or a job the salt information needs to be copy pasted so that any restore operations that use the device, backup sets (from a job) will restore properly and not cause issues.

8.    Restricted – This information indicates whether a key is restricted for usage or not. Users can create restricted keys which can be used by only specific users , non-restricted keys can be used universally by anyone.

Encryption Key Management Window in Backup Exec. This can be accessed via Backup Exec Settings -> Network And Security -> Manage Keys.

This dialog displays all the keys that are created/present in Backup Exec, we can create new keys or delete existing keys that are not used anywhere. We can replace some keys with another keys whenever needed. Whenever we create/delete a key, a new entry is added in the csv file with the information for that key.

NOTE: It is recommended that a backup of the csv file should be copied to a different server or network location which can be used in case of disaster recovery or if there is a need to re-create a particular key.

Re-cataloging media when the Encryption key is not present in Backup Exec. 

An Alert will appear in Backup Exec if a backup set on the media was Encrypted using Encryption keys. This Alert appears when the Encryption key is not present or saved in Backup Encryption Management settings.

Backup Exec Console Alert (Informational)

Application Event Log Entry corresponds to the Backup Exec Console Informational Alert:

Log Name:      Application
Source:        Backup Exec
Event ID:      58060
Task Category: None
Level:         Information

Description:
Backup Exec Alert: Media Intervention
(Server: "<media server>") (Job: "Catalog xxxxx") Backup set #<x> on storage media #<x>
Backup set description: ""
The encryption key required by this backup set (key name: KeyName) cannot be retrieved. To Catalog this set, click the Backup Exec button > Configuration and Settings > Backup Exec Settings. Click Network and Security, and then click Manage Keys. On the Encryption Management dialog box, click New to create a key. Select the Create an encryption key using Salt (given by Backup Exec) check box and enter the Salt: <salt key>. Press CTRL + C to copy this alert message to get the Salt.
If the Central Admin Server Feature is installed, you must create the key on the Backup Exec Server that is running the job. 
After you add the key, click the information alert icon on the status bar at the bottom of the Backup Exec window, and open this alert again. On the alert, click Yes to retry operation for the backup set. Otherwise, click No to skip to the next backup set, or click Cancel to terminate the job.

The missing Encryption key will have to be re-created using original passphrase and salt value to re-catalog of a backup set. 
When the Encryption key is re-created the Alert must be responded to  with “Respond Yes” button to continue.

To re-create the key using Salt.
a. Go to Configuration and settings -> Backup Exec settings ->Network and Security -> Manage Keys
b. Select “New” button.
c. Enter new key name (Key name is present in the Console Alert and Application Log Event)
d. Enter original passphrase.
e. Enter/paste the Salt value that is shown in the Alert or Application Log Event.
f. Press OK
g. Click "Respond Yes" to the Backup Exec console Alert.

Restoring backup set (Encryption key is missing) 

When a backup set is attempted to restore from, but the Encryption key (used for backup) is not present in Backup Exec the following dialog box appears while selecting the backup set.

Encryption Key Not Found

This states that encryption key is missing which was used to backup this backup set. The Encryption key will have to re-created to move ahead with a restore job. 

Steps to re-create the key for a Restore:

a. Click on the “Yes” button when above dialog box is shown.
b. Then all the information related to missing key (Key name, encryption type, salt ) will auto populate. 
c. Type the passphrase for the Encryption key. Passphrase needs to be same as the original key else encryption key re-creation step will fail and the restore job cannot move forward.
c. Click “OK”
d. After successful re-creation of missing Encryption key, click on “Next” in the restore window to continue with the restore job.