Forum Discussion

vickyj's avatar
vickyj
Level 4
13 years ago

Password Protect Backup Job and media & Using Encryption with Backup Exec

You can protect the backup data by giving a password.

Do the following to achieve the same...


1.Open backup exec


2.Select the data to be backed up or edit the job definition


3.Click on devices and media tab


4.Select "Password protect media" option and give the password.


5.Run the job.

When a password-protected media is taken to another location, such as
another media server, the password is required to catalog the tape.\

There is no direct way to prevent a user from restoring the backed up tapes
on the media server.

However, you can delete the existing catalog from the server. In this way, catalog should be run before restore. As the tapes were password protected, password will be required for cataloging the tapes.

1. Create a backup job by specifying password in the "Password protect media", as mentioned in the earlier mail

2. Go to Devices tab > double click the media shown in the upper right pane and compare the Media ID shown with the file name present in the \program files\Veritas\Backup Exec\Catalogs folder. This file is related with the catalog of the tape.


You can delete this file after stopping all Backup Exec services. After deleting this file the backed up data will not be listed in the Restore selections. When the restore is required, you need to run catalog with password specified in the catalog job. Otherwise, the catalog will not run.

Please note that there is no way to restore the data from the tapes without the password, when the tapes are password protected.


Password protect media

Password protect a tape with Backup Exec 9.x and 10.0:



1. Select Device and Media in the left pane of Backup Job Properties

2. In the right pane, select the Password protect media check box

3. Enter a password and click OK (see Figure 4)

4. Submit the job to overwrite media


Note: Appending to a tape with a job that has a Password and Confirm Password defined will not password protect that tape

Important Note: Password protecting a tape is a non-reversible action. If the password is misplaced, the data on the tape will be irretrievable by Backup Exec, without exception. Please exercise great care in password protecting any media.

Password protected media can be erased without requiring the password.


Using Encryption with Backup Exec


Backup Exec provides the ability to encrypt data, which helps us in protecting data from unauthorized access. Backup Exec provide the Software Encryption, but it also supports some devices that provide Hardware Encryption with the T10 standard.

Backup Exec supports two security levels of encryption: 128-bit Advanced Encryption Standard (AES) and 256-bit Advanced Encryption Standard. For 128-bit AES pass phrase must be atleast  8 characters, whereas 256-bit AES pass phrase must be atleast 16 characters. The 256-bit AES encryption provides a stronger level of security because the key is longer for 256-bit AES than for 128-bit AES. However, 128-bit AES encryption enables backup jobs to process more quickly.

When you install Backup Exec, the installation program installs the necessary encryption software on the media server and on remote computers that use the Remote Agent. Backup Exec can encrypt data at a computer that uses the Remote Agent, and then transfer the encrypted data to the media server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to a backup-to-disk folder.

Software compression can be used along with the encryption option. First BE compresses the files, and then encrypts them. However, backup jobs take longer to complete when you use both encryption and software compression.

Configuration:

  1. Create an encryption key; use it with the backup job.
  2. Create an encryption key while creating the backup job.
  3. Create / use an encryption key along with a backup set template or duplicate backup job template.

I followed the first method in the video.

To create an encryption key

  1.  On the Tools menu, click Encryption Keys.
  2.  Click New.
  3.  Type the name for the Key.
  4.  Select the type of Encryption
  5.  Provide the pass phrase.
  6.  Confirm pass phrase.
  7.  Select the type of key. (Common / Restricted).
  8.  Click OK

Common: Any user of this installation of Backup Exec can use the key to back up and restore data.

Restricted: Anyone can use the key to back up data, but only the key owner or a user who knows the pass phrase can use the key to restore the encrypted data.

Selecting An Encryption Key For A Backup Job:

  1.  On the navigation bar, click the arrow next to Backup.
  2.  Click New Backup Job.
  3.  Select the data that you want to back up.
  4.  On the Properties pane, under Settings, click Network and Security.
  5.  In the Encryption type field, select the type of encryption you want to use.
  6.  In the Encryption Key field, select the name of the key to be used for encryption.
  7.  Process the backup job as normal.

Hope this article helps...

  • ...good enough to be an article, NOT a forum query smiley

    I'd suggest you resubmit as an article...good work!

  • BE 9 & 10 are very old versions and would not be of much interest to most of the users in this forum who have moved on.  However, using an encryption key to encrypt the data is valid for the newer versions of BE.

  • Thank you for this article!

    How safe is an encrypted tape when it falls in wrong hands?

     

    Kind regards,

    M. Verkerk

  • ...if they don't have the encryption key, it's fairly safe. It won't stop someone trying to crack it though.

  • As an aside for anyone with 9.x 10.x as it was mentioned in the initial post , the password protection with those versions was very basic and could be bypassed in numerous ways - which is why it changed in 11D and upwards to full encryption.

    Also if you are planning an upgrade from 9.x or 10.x to later versions, always remove the media passwords from jobs prior to the upgarde and then add encryption settings back in after the upgrade. Failure to do this can result in media with both a password and encryption that can cause problems when it comes to a restore.

  • Thank you both for your reply and the information!

    I'm using Backup Exec 12.5 and it is a new installation. So that's must be ok!

    Kind regards,

    M. Verkerk