Password Protect Backup Job and media & Using Encryption with Backup Exec
You can protect the backup data by giving a password.
Do the following to achieve the same...
1.Open backup exec
2.Select the data to be backed up or edit the job definition
3.Click on devices and media tab
4.Select "Password protect media" option and give the password.
5.Run the job.
When a password-protected media is taken to another location, such as
another media server, the password is required to catalog the tape.\
There is no direct way to prevent a user from restoring the backed up tapes
on the media server.
However, you can delete the existing catalog from the server. In this way, catalog should be run before restore. As the tapes were password protected, password will be required for cataloging the tapes.
1. Create a backup job by specifying password in the "Password protect media", as mentioned in the earlier mail
2. Go to Devices tab > double click the media shown in the upper right pane and compare the Media ID shown with the file name present in the \program files\Veritas\Backup Exec\Catalogs folder. This file is related with the catalog of the tape.
You can delete this file after stopping all Backup Exec services. After deleting this file the backed up data will not be listed in the Restore selections. When the restore is required, you need to run catalog with password specified in the catalog job. Otherwise, the catalog will not run.
Please note that there is no way to restore the data from the tapes without the password, when the tapes are password protected.
Password protect media
Password protect a tape with Backup Exec 9.x and 10.0:
1. Select Device and Media in the left pane of Backup Job Properties
2. In the right pane, select the Password protect media check box
3. Enter a password and click OK (see Figure 4)
4. Submit the job to overwrite media
Note: Appending to a tape with a job that has a Password and Confirm Password defined will not password protect that tape
Important Note: Password protecting a tape is a non-reversible action. If the password is misplaced, the data on the tape will be irretrievable by Backup Exec, without exception. Please exercise great care in password protecting any media.
Password protected media can be erased without requiring the password.
Using Encryption with Backup Exec
Backup Exec provides the ability to encrypt data, which helps us in protecting data from unauthorized access. Backup Exec provide the Software Encryption, but it also supports some devices that provide Hardware Encryption with the T10 standard.
Backup Exec supports two security levels of encryption: 128-bit Advanced Encryption Standard (AES) and 256-bit Advanced Encryption Standard. For 128-bit AES pass phrase must be atleast 8 characters, whereas 256-bit AES pass phrase must be atleast 16 characters. The 256-bit AES encryption provides a stronger level of security because the key is longer for 256-bit AES than for 128-bit AES. However, 128-bit AES encryption enables backup jobs to process more quickly.
When you install Backup Exec, the installation program installs the necessary encryption software on the media server and on remote computers that use the Remote Agent. Backup Exec can encrypt data at a computer that uses the Remote Agent, and then transfer the encrypted data to the media server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to a backup-to-disk folder.
Software compression can be used along with the encryption option. First BE compresses the files, and then encrypts them. However, backup jobs take longer to complete when you use both encryption and software compression.
Configuration:
- Create an encryption key; use it with the backup job.
- Create an encryption key while creating the backup job.
- Create / use an encryption key along with a backup set template or duplicate backup job template.
I followed the first method in the video.
To create an encryption key
- On the Tools menu, click Encryption Keys.
- Click New.
- Type the name for the Key.
- Select the type of Encryption
- Provide the pass phrase.
- Confirm pass phrase.
- Select the type of key. (Common / Restricted).
- Click OK
Common: Any user of this installation of Backup Exec can use the key to back up and restore data.
Restricted: Anyone can use the key to back up data, but only the key owner or a user who knows the pass phrase can use the key to restore the encrypted data.
Selecting An Encryption Key For A Backup Job:
- On the navigation bar, click the arrow next to Backup.
- Click New Backup Job.
- Select the data that you want to back up.
- On the Properties pane, under Settings, click Network and Security.
- In the Encryption type field, select the type of encryption you want to use.
- In the Encryption Key field, select the name of the key to be used for encryption.
- Process the backup job as normal.
Hope this article helps...