https://www.veritas.com/support/en_US/article.000039177
Problem
The NetBackup client encryption option is best for the following:
- Clients that can handle the CPU burden for compression / encryption
- Clients that want to retain control of the data encryption keys
- Situations where the tightest integration of NetBackup and encryption is
desired
- Situations where encryption is needed in terms of a per client basis
Solution
Follow steps below to configure Netbackup client encryption option and steps to verify if Netbackup client encryption is already enabled :-
1. Push the encryption binaries to the client using the following command on the master:
Windows:
Windows:
Note : By default Windows machines have Netbackup Client Encryption binaries installed.
Unix (The encryption binaries must already be installed on the master server):
/usr/openv/netbackup/bin/bpinst -ENCRYPTION <client name>
Unix (The encryption binaries must already be installed on the master server):
/usr/openv/netbackup/bin/bpinst -ENCRYPTION <client name>
Note: Starting with NetBackup 7.0, the encryption binaries are automatically installed on the Unix/Linux clients.
Note :It is required to have the client running the same version of NetBackup as the master server. It is also recommended to have them patched to the same level.
2. Install the license keys for encryption on the master server.
3. Create an encryption key file on the client by running the following command on the client (or on the master server with the -client option):
Windows:
3. Create an encryption key file on the client by running the following command on the client (or on the master server with the -client option):
Windows:
<install_path>\NetBackup\bin\bpkeyutil -client <client name>
Unix:
/usr/openv/netbackup/bin/bpkeyutil -client <client name>
-- To do this, cd into /usr/openv/netbackup/bin
-- Then run ./bpkeyutil -client <client name>
Enter new NetBackup passphrase: **********
Re-enter new NetBackup passphrase: **********
Caution: It is important that you remember the pass phrases, including the old pass phrases. If a client's key file is damaged or lost, you need all of the previous pass phrases in order to recreate the key file. Without the key file, you will be unable to restore files that were encrypted with the pass phrases.
4. Verify the following files are on the client:
Windows:
<install_path>\netbackup\share\version_crypt.txt
<install_path>\Veritas\netbackup\share\ciphers.txt
<install_path>\Veritas\netbackup\bin\bpkeyutil
<install_path>\Veritas\netbackup\var\keyfile.dat (this file is created by the bpkeyutil command)
Unix:
/usr/openv/share/version_crypt
/usr/openv/share/ciphers.txt
/usr/openv/netbackup/bin/bpkeyutil
/usr/openv/var/keyfile.dat (this file is created by the bpkeyutil command)
5. On Netbackup administration console In the policy under the Attributes tab there is a selection for Encryption that determines if the backup will be encrypted. Check the check box.
6) In the NetBackup Administration Console, Expand NetBackup Management > Host Properties > Clients, double click to launch client properties window. Click on "Encryption" and Configure this client to be enabled for encryption.
Unix:
/usr/openv/netbackup/bin/bpkeyutil -client <client name>
-- To do this, cd into /usr/openv/netbackup/bin
-- Then run ./bpkeyutil -client <client name>
Enter new NetBackup passphrase: **********
Re-enter new NetBackup passphrase: **********
Caution: It is important that you remember the pass phrases, including the old pass phrases. If a client's key file is damaged or lost, you need all of the previous pass phrases in order to recreate the key file. Without the key file, you will be unable to restore files that were encrypted with the pass phrases.
4. Verify the following files are on the client:
Windows:
<install_path>\netbackup\share\version_crypt.txt
<install_path>\Veritas\netbackup\share\ciphers.txt
<install_path>\Veritas\netbackup\bin\bpkeyutil
<install_path>\Veritas\netbackup\var\keyfile.dat (this file is created by the bpkeyutil command)
Unix:
/usr/openv/share/version_crypt
/usr/openv/share/ciphers.txt
/usr/openv/netbackup/bin/bpkeyutil
/usr/openv/var/keyfile.dat (this file is created by the bpkeyutil command)
5. On Netbackup administration console In the policy under the Attributes tab there is a selection for Encryption that determines if the backup will be encrypted. Check the check box.
6) In the NetBackup Administration Console, Expand NetBackup Management > Host Properties > Clients, double click to launch client properties window. Click on "Encryption" and Configure this client to be enabled for encryption.