Veritas Solution Guide for Sheltered Harbor

Last Published:
Product(s): NetBackup & Alta Data Protection (10.5)

Archive restoration in Cyber Resilient Domain

Data restoration is carried out to restore the data if required using the restore command option. The Sheltered Harbor solution on the NetBackup client decrypts and restores the data.

The following diagram depicts the process to restore the data using Veritas NetBackup for Sheltered Harbor solution in CRD domain.

Figure: Archive restoration in Cyber Resilient Domain

Archive restoration in Cyber Resilient Domain

The process flow is as follows:

  1. Archive retrieval: From the NetBackup client, you need to manually restore the backup data using NetBackup Backup Archive Restore UI (BAR GUI) or NetBackup Web UI. While restoring, you need to use the backup keyword to restore the data.

    See Restore backup data using NetBackup web UI.

    Note:

    Make sure that the recovery storage path should be empty while restoring the backup data files because the data files cannot be overwritten.

  2. Recovery storage: It contains the recovered encrypted data files along with the secure envelope. You can use any portable medium (such as Pen drive, hard disk) to store the recovered data.

    Note:

    Make sure that you specify the correct recovery storage path while restoring the backup data files. Use the NetBackup Backup Archive Restore UI to restore the data.

  3. External or cloud provider KMS: The Sheltered Harbor solution decrypts the data encryption key (DEK) with the help of a configured KMS. The DEK is further used to decrypt the recovery storage data. It ensures that the encryption/decryption keys do not leave the KMS boundaries. If cloud KMS is not configured, you can use on-premises KMS.
  4. Restored data storage: Once you perform the data restoration using the Sheltered Harbor solution, the data files are decrypted and stored in the restored data storage.

    The data restoration using Sheltered Harbor solution can be done on a completely isolated NetBackup client that does not have a connectivity with a primary server. Such isolated NetBackup client can be installed by skipping host certificate deployment during NetBackup client install. The data restoration needs a connectivity with KMS where envelope decryption key is stored.

    Note:

    Ensure that you specify the correct restoration storage path while performing the data restoration operation.

  5. Recovery domain: Once the files are stored in the restored data storage, you can transfer the data to recovery domain by using any portable medium (such as Pen drive, hard disk).