Backup Exec 23 Administrator's Guide

Using encryption with Backup Exec

Backup Exec provides you with the ability to encrypt data. When you encrypt data, you protect it from unauthorized access. Anyone that tries to access the data has to have an encryption key that you create. Backup Exec provides software encryption, but it also supports some devices that provide hardware encryption with the T10 standard. Backup Exec configures encryption when you specify which storage devices that you want to use for a backup job.

Backup Exec supports two security levels of encryption: 128-bit Advanced Encryption Standard (AES) and 256-bit AES. Within 256-bit AES encryption level, Backup Exec provides two methods of key derivation for the pass phrase that you entered. One is the existing AES 256-bit that uses SHA-2 algorithm (earlier referred to as 256-bit AES) and the second makes use of PBKDF2 that is the enhanced password-based Key Derivation Function algorithm.

The 256-bit AES encryption provides a stronger level of security because the key is longer for 256-bit AES than for 128-bit AES. However, 128-bit AES encryption enables backup jobs to process more quickly. Hardware encryption using the T10 standard requires 256-bit AES. With PBKDF2, in addition to pass phrase, Backup Exec uses randomly generated Salt, which makes the encryption key more secure.

When you run a duplicate backup job, any backup sets that are already encrypted, will remain encrypted, regardless of the encryption option that you select. However, you can encrypt any unencrypted backup sets.

For information about the best practices of Backup Exec software encryption, refer to Backup Exec Best Practices.

This topic includes the following information:

Software encryption

Hardware encryption

Encryption keys

Restricted keys and common keys

Pass phrases

When you install Backup Exec, the installation program installs encryption software on the Backup Exec server and on any remote computers that use a Backup Exec agent. Backup Exec can encrypt data at a computer that uses a Backup Exec agent, and then transfer the encrypted data to the Backup Exec server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to disk storage.

Backup Exec does not encrypt Backup Exec metadata or on-disk catalog file and directory information.

You can use software compression with encryption for a backup job. First Backup Exec compresses the files, and then encrypts them. However, backup jobs take longer to complete when you use both encryption compression and software compression.

It is recommended that you avoid using hardware compression with software encryption. Hardware compression is performed after encryption. Data becomes randomized during the encryption process. Compression does not work effectively on data that is randomized.

Backup Exec supports hardware encryption for any storage devices that use the T10 encryption standard. When you use hardware encryption, the data is transmitted from the host computer to the storage device and then encrypted on the device. Backup Exec manages the encryption keys that are used to access the encrypted data.

Backup Exec only supports approved devices for T10 encryption.

You must create encryption keys to use encryption in Backup Exec. When a user creates an encryption key, Backup Exec marks that key with an identifier based on the logged-on user's security identifier. The person who creates the key becomes the owner of the key.

If you use encryption for synthetic backups, all of the associated backups must use the same encryption key. Do not change the encryption key after the baseline is created. The encryption key that you select for the baseline backup is automatically applied to all associated backups.

When you select encrypted data for restore, Backup Exec verifies that encryption keys for the data are available in the database. If any of the keys are not available, Backup Exec prompts you to recreate the missing keys. If you delete the key after you schedule the job to run, the job fails.

If Backup Exec cannot locate an encryption key while a catalog job is running, Backup Exec sends an alert. You can then recreate the missing encryption key if you know the pass phrase. If the Backup Exec alert contains Salt information, you must provide the same salt to recreate the missing encryption key.

Simplified Disaster Recovery supports the recovery of computers with previously encrypted backup sets. If you have Simplified Disaster Recovery backups that are encrypted during backup, the Recover This Computer wizard prompts you for the pass phrase of each encrypted backup set that is required to complete the recovery.

See Encryption key management.

Backup Exec has the following types of encryption keys:

Encryption keys require a pass phrase, which is similar to a password. Pass phrases are usually longer than passwords and are comprised of several words or groups of text. A good pass phrase is between 8 and 128 characters. The minimum number of characters for 128-bit AES encryption is eight. The minimum number of characters for 256-bit AES encryption (SHA-2) and 256-bit AES encryption (PBKDF2) is 16. It is recommended that you use more than the minimum number of characters.

Also, a good pass phrase contains a combination of upper and lower case letters, numbers, and special characters. You should avoid using literary quotations in pass phrases.

For 256-bit AES PBKDF2, the pass phrase must contain at least one upper case, one lower case, one number, and one special character.

A pass phrase can include only printable ASCII characters, which are characters 32 through 126. ASCII character 32 is the space character, which is entered using the space bar on the keyboard. ASCII characters 33 through 126 include the following:

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ

[\]^_'abcdefghijklmnopqrstuvwxyz{|}~

See Encryption key management.