Veritas Solution Guide for Sheltered Harbor

The process flow is as follows:

1. Archive retrieval: From the NetBackup client, you need to manually restore the backup data using NetBackup Backup Archive Restore (BAR) UI or NetBackup web UI. You need to use the backup keyword to restore the data.

   See Restore backup data using NetBackup web UI.

2. Data restoration: The recovery storage contains the retrieved encrypted data files along with the secure envelope. You can use any portable medium (such as pen drive, hard disk) to store the restored data. The portable media can be transferred to the third-party restoration platform to restore data and services.

   Note:

   Ensure that you specify the correct recovery storage path while you restore the backup data files using the BAR GUI or web UI.

3. External or cloud provider KMS: The NetBackup Sheltered Harbor solution decrypts the data encryption key (DEK) with the help of a configured external KMS or a cloud-provider based KMS. The DEK is further used to decrypt the recovery storage data. It ensures that the encryption or decryption keys do not leave the KMS boundaries. If cloud KMS is not configured, you can use on-premises KMS.

   Note:

   The decryption of data by the solution is required only for data recovery and verification test, or for service restoration by a self-restorer.

4. Restored data storage: Once you perform the data restoration using the Sheltered Harbor solution, the data files are decrypted and stored in the restored data storage.

   The data restoration using the Sheltered Harbor solution can be done on a completely isolated NetBackup client that does not have a connectivity with a primary server. Such isolated NetBackup client can be installed by skipping host certificate deployment during NetBackup client install. The data restoration needs a connectivity with KMS where envelope decryption key is stored.

   Note:

   Ensure that you specify the correct restoration storage path while performing the data restoration operation.