Veritas Solution Guide for Sheltered Harbor

The process flow is as follows:

1. Input storage: The input storage includes manifest, account data files, and corresponding hash files that originated from the institution. At this stage, the input data is extracted using the Sheltered Harbor solution and is processed further for input data validation. Here, it generates an archive volume and encrypts it using the data encryption key. It also generates the secure envelope that stores the cryptographic material of encryption.
2. External or cloud provider KMS: The NetBackup Sheltered Harbor solution encrypts the input storage data using data encryption key (DEK) and this DEK is further encrypted with the help of a configured external KMS or cloud-provider based KMS. It ensures that the encryption or decryption keys do not leave the KMS boundaries. If cloud KMS is not configured, you can use on-premises KMS.
3. Transfer storage: The input data files are compressed and encrypted to generate encrypted archive volumes and are stored in the transfer storage.
4. Immutable cloud storage: NetBackup deduplicates and stores the encrypted volume and secure envelope to a supported immutable cloud object storage such as Veritas Alta Recovery Vault during the backup process. A unique keyword is generated and is used during backup. This keyword identifies the backup image during restore and it can be seen using --report command option. For example, 'SH-<random number>' keyword is generated during backup that is further used on the BAR UI to see the backup files.

   Note:

   The Sheltered Harbor solution supports either VeritasAlta Recovery Vault or an Isolated Recovery Environment (IRE) to be configured for the data vaulting operations. Other NetBackup storage unit types are not supported.

5. Sheltered Harbor monitoring log: The Sheltered Harbor monitoring log shows the attestation message as a proof of a successful completion of the daily data vaulting process.