875 3538 10

title_page_template.
qxd 5/30/03 9:37 AM Page 1

kNMORR`
VERITAS NetBackup

Encryption 5.0
p=^~=d
=rkfu=~=t
DiscIaimer
Tle irfoimalior corlaired ir llis publicalior is subjecl lo clarge willoul rolice. VERITAS Soflwaie
Coipoialior makes ro waiiarly of ary kird will iegaid lo llis marual, ircludirg, bul rol limiled lo,
lle implied waiiarlies of meiclarlabilily ard filress foi a pailiculai puipose. VERITAS Soflwaie
Coipoialior slall rol be liable foi eiiois corlaired leieir oi foi irciderlal oi corsequerlial damages
ir correclior will lle fuirislirg, peifoimarce, oi use of llis marual.
VERITAS LegaI Notice
Copyiigll 1998 - 2003 VERITAS Soflwaie Coipoialior. All iiglls ieseived. VERITAS, lle VERITAS
logo, ard all ollei VERITAS pioducl rames ard slogars aie liademaiks oi iegisleied liademaiks of
VERITAS Soflwaie Coipoialior. VERITAS, Nelackup, lle VERITAS logo, Reg. U.S. Ial. & Tm. Off.
Ollei pioducl rames ard/oi slogars merliored leieir may be liademaiks oi iegisleied liademaiks
of lleii iespeclive comparies.
Ioiliors of llis soflwaie aie deiived fiom lle RSA Dala Secuiily, Irc. MD5 Message-Digesl
Algoiillm. Copyiigll 1991-92, RSA Dala Secuiily, Irc. Ciealed 1991. All iiglls ieseived.
VERITAS Soflwaie Coipoialior
350 Ellis Slieel
Mourlair View, CA 94043
USA
Ilore 650-527-8000 Iax 650-527-2908
www.veiilas.com
Third-Party Copyrights
ACE 5.2A: ACE(TM) is copyiiglled by Douglas C.Sclmidl and lis ieseaicl gioup al Waslinglon Univeisily and Univeisily of Califoinia, Iivine,
Copyiigll (c) 1993-2002, all iiglls ieseived.
IBM XML foi C++ (XML4C) 3.5.1: Copyiigll (c) 1999,2000,2001 Compaq Compulei Coipoialion, Copyiigll (c) 1999,2000,2001 Hewlell-Iackaid
Company, Copyiigll (c) 1999,2000,2001 IBM Coipoialion, Copyiigll (c) 1999,2000,2001 Hummingbiid Communicalions Lld., Copyiigll (c)
1999,2000,2001 Silicon Giaplics, Inc., Copyiigll (c) 1999,2000,2001 Sun Miciosyslems, Inc., Copyiigll (c) 1999,2000,2001 Tle Open Gioup, All
iiglls ieseived.
Ieimission is leieby gianled, fiee of claige, lo any peison oblaining a copy of llis soflwaie and associaled documenlalion files (lle "Soflwaie"),
lo deal in lle Soflwaie willoul iesliiclion, including willoul limilalion lle iiglls lo use, copy, modify, meige, publisl, disliibule, and/oi sell
copies of lle Soflwaie, and lo peimil peisons lo wlom lle Soflwaie is fuinisled lo do so, piovided llal lle above copyiigll nolice(s) and llis
peimission nolice appeai in all copies of lle Soflwaie and llal boll lle above copyiigll nolice(s) and llis peimission nolice appeai in suppoiling
documenlalion.
Tlis pioducl includes soflwaie developed by lle Apacle Soflwaie Foundalion (lllp://www.apacle.oig/).
}acORB 1.4.1: Tle licensed soflwaie is coveied by lle GNU Libiaiy Geneial Iublic License, Veision 2, }une 1991.
Open SSL 0.9.6: Tlis pioducl includes soflwaie developed by lle OpenSSL Iiojecl foi use in lle OpenSSL Toolkil. (lllp://www.openssl.oig/)
TAO (ACE ORB) 1.2a: TAO(TM) is copyiiglled by Douglas C. Sclmidl and lis ieseaicl gioup al Waslinglon Univeisily and Univeisily of
Califoinia, Iivine, Copyiigll (c) 1993-2002, all iiglls ieseived.
NetBackup_AdminGuide_Encryption_50.book Page ii Friday, November 7, 2003 1:48 PM
iii
Revision Hisloiy
Revision History
Tle followirg lable summaiizes lle ievisiors made lo llis documerl foi Nelackup
ielease 5.0.
ReIease Date Description
Nelackup
Lnciyplion
Syslem
Adminislialoi's
Guide 5.0
Decembei
2003
Oiiginal veision foi llis ielease.
k In ielease 5.0, Mac OS 9 (and eailiei) Macinlosl clienls
aie no longei suppoiled. Clienls iunning Mac OS X
10.2.2 and liglei aie suppoiled and aie consideied
UNIX clienls in llis documenl.
k Tle Commands appendix las been iemoved. Ioi
infoimalion on lle commands used in Nelackup
Lnciyplion, please see lle k_~=`~=guide
foi UNIX oi Windows.
NetBackup_AdminGuide_Encryption_50.book Page iii Friday, November 7, 2003 1:48 PM
Revision Hisloiy
iv k_~=b=p=^~=d
NetBackup_AdminGuide_Encryption_50.book Page iv Friday, November 7, 2003 1:48 PM
v
Contents
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Wlal Is Ir Tlis Marual` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
Gellirg Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
Relaled Nelackup Maruals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Relaled Resouices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Glossaiy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Accessibilily Iealuies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Corverliors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Teimirology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Teclrical Oveiview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
How ar Erciypled ackup Woiks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
How ar Erciypled Resloie Woiks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2. InstaIIation on a Master Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Irslallalior Iieiequisile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Irslallirg or a UNIX Nelackup Maslei Seivei . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Irslallirg or a Wirdows Nelackup Maslei Seivei . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 3. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Corfiguiirg fiom lle Maslei Seivei . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Read Tlis If Clierls Have Nol eer Iieviously Corfiguied . . . . . . . . . . . . . . . . . . . 10
NetBackup_AdminGuide_Encryption_50.book Page v Friday, November 7, 2003 1:48 PM
vi k_~=b=p=^~=d
Iuslirg Nelackup Erciyplior Soflwaie lo Clierls . . . . . . . . . . . . . . . . . . . . . . . . . 11
Iuslirg lle Nelackup Erciyplior Corfiguialior lo Clierls . . . . . . . . . . . . . . . . . 12
Iuslirg Erciyplior Iass Iliases lo Clierls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Sellirg lle Erciyplior Alliibule ir Nelackup Iolicies . . . . . . . . . . . . . . . . . . . . . . 14
Corfiguiirg Nelackup Erciyplior or lle Clierl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Oblairirg Nelackup Erciyplior Soflwaie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Maragirg Nelackup Erciyplior Corfiguialior Opliors . . . . . . . . . . . . . . . . . . . . 16
Maragirg lle Nelackup Erciyplior Key Iile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Rediiecled Resloies of Erciypled Iiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Sellirg Erciyplior ir Nelackup Iolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Addilioral Key Iile Secuiily (UNIX clierls orly) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Rurrirg bpcd as a Slardalore Iiogiam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Teimiralirg bpcd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
NetBackup_AdminGuide_Encryption_50.book Page vi Friday, November 7, 2003 1:48 PM
vii
Preface
Tlis guide explairs low lo irslall, corfiguie, ard use VERITAS Nelackup Erciyplior. Ir
llis publicalior, VERITAS Nelackup is iefeiied lo as Nelackup ard VERITAS
Nelackup Erciyplior is iefeiied lo as Nelackup Erciyplior.
Tlis guide is irlerded foi lle syslem admirislialoi iesporsible foi corfiguiirg
Nelackup Erciyplior ard assumes a lloiougl woikirg krowledge of Nelackup
admirislialior ard use.
What Is In This ManuaI?
Tle Irlioduclior claplei is ar oveiview of lle pioducl's capabililies.
Tle Irslallalior or a Maslei Seivei claplei explairs low lo irslall Nelackup
Erciyplior.
Tle Corfiguialior claplei explairs low lo corfiguie youi syslem lo use Nelackup
Erciyplior. Tlis irfoimalior supplemerls llal ir lle Nelackup Wirdows ard UNIX
syslem admirislialoi's guides.
Getting HeIp
Use lle VERITAS Teclrical Suppoil web sile lo gel lelp foi Nelackup Erciyplior if you
lave quesliors.
^==sbofq^p=q~=p=t=p
Tle VERITAS Teclrical Suppoil Web sile allows you lo:
Oblair updaled irfoimalior aboul Nelackup Erciyplior, ircludirg syslem
iequiiemerls, suppoiled plalfoims, suppoiled peiipleials,
Corlacl lle VERITAS Teclrical Suppoil slaff ard posl quesliors lo llem
Gel lle lalesl palcles, upgiades, ard ulililies
View lle Nelackup Erciyplior Iiequerlly Asked Quesliors (IAQ) page
NetBackup_AdminGuide_Encryption_50.book Page vii Friday, November 7, 2003 1:48 PM
Relaled Nelackup Manuals
viii k_~=b=p=^~=d
Seaicl lle krowledge base foi arsweis lo leclrical suppoil quesliors
Receive aulomalic rolice of pioducl updales
Iird oul aboul Nelackup Erciyplior liairirg
Read cuiierl wlile papeis ielaled lo Nelackup Erciyplior
Tle addiess foi lle VERITAS Teclrical Suppoil Web sile is:
http://support.veritas.com
r=sbofq^p=q=~=b~=p
Teleplore suppoil foi Nelackup Erciyplior is orly available will a valid suppoil
corliacl. To corlacl VERITAS foi leclrical suppoil, dial lle appiopiiale plore rumbei
lisled or lle Teclrical Suppoil Guide ircluded ir lle pioducl box ard lave youi pioducl
licerse irfoimalior ieady foi quick ravigalior lo lle piopei suppoil gioup.
To Iocate the teIephone support directory on the VERITAS web site
1. Oper http://www.support.veritas.com/ ir youi web biowsei.
2. Click lle m=p icor. A page llal corlairs VERITAS suppoil rumbeis fiom
aiourd lle woild appeais.
To contact support using emaiI on the VERITAS web site
1. Oper http://www.support.veritas.com/ ir youi web biowsei.
2. Click lle bJ~=p icor. A biief eleclioric foim will appeai ard piompl you lo:
Selecl a larguage of youi piefeierce
Selecl a pioducl ard a plalfoim
Associale youi message lo ar exislirg leclrical suppoil case
Iiovide addilioral corlacl ard pioducl irfoimalior, ard youi message
3. Click p=j~.
ReIated NetBackup ManuaIs
k_~=o~=k==rkfu=~=t
Desciibes lle plalfoims ard opeialirg syslems llal aie suppoiled ard piovides
opeialirg roles llal may rol be ir lle maruals oi lle orlire lelp.
NetBackup_AdminGuide_Encryption_50.book Page viii Friday, November 7, 2003 1:48 PM
Iieface ix
Relaled Resouices
k_~=p=^~=d==tI=s=f=C=ff
Explairs low lo corfiguie ard marage Nelackup or a Wirdows syslem.
k_~=p=^~=d==rkfuI=s=f=C=ff
Explairs low lo corfiguie ard marage Nelackup or a UNIX syslem.
k_~=`~==t
Desciibes Nelackup commard use or a Wirdows syslem.
k_~=`~==rkfu
Desciibes Nelackup commard use or a UNIX syslem.
ReIated Resources
d~
If you ercourlei urfamiliai leimirology, corsull lle Nelackup orlire glossaiy. Tle
glossaiy corlairs leims ard defiriliors foi Nelackup ard all addilioral Nelackup
opliors ard agerls.
Tle Nelackup orlire glossaiy is ircluded ir lle Nelackup lelp file.
To access the NetBackup onIine gIossary
1. Ir lle Nelackup Admirislialior Corsole (oi fiom lle ackup, Aiclive, ard Resloie
clierl irleiface), click e > e=q.
2. Click lle ` lab.
3. Click k_~=d~==q.
Tle glossaiy displays ir a lelp wirdow. Use lle scioll furclior lo ravigale lliougl lle
glossaiy.
AccessibiIity Features
Nelackup corlairs fealuies llal make lle usei irleiface easiei lo use by people wlo aie
visually impaiied ard by people wlo lave limiled dexleiily. Accessibilily fealuies
irclude:
Suppoil foi assislive leclrologies sucl as scieer ieadeis ard voice irpul (Wirdows
seiveis orly)
NetBackup_AdminGuide_Encryption_50.book Page ix Friday, November 7, 2003 1:48 PM
Convenlions
x k_~=b=p=^~=d
Suppoil foi keyboaid (mouseless) ravigalior usirg acceleialoi keys ard mremoric
keys
Ioi moie irfoimalior, see lle k_~=p=^~D=d.
Conventions
Tle followirg seclior explairs lypogiaplical ard ollei corverliors used ir llis guide.
mJp=`
Tle followirg leim is used ir VERITAS Nelackup documerlalior lo irciease ieadabilily
wlile mairlairirg leclrical accuiacy.
Miciosofl Wirdows, Wirdows
Teims used lo desciibe a specific pioducl oi opeialirg syslem developed by
Miciosofl, Irc. Some examples aie, Wirdows 2000, Wirdows Seivei 2003, Wirdows
seiveis, Wirdows clierls, Wirdows plalfoims, oi Wirdows GUI. Ioi moie
irfoimalior or lle Wirdows opeialirg syslems llal Nelackup suppoils, iefei lo lle
sbofq^p=k_~=o~=k==rkfu=~=t oi go lo lle VERITAS suppoil
web sile al http://www.support.veritas.com.
Note Wler a specific Wirdows pioducl is iderlified ir lle documerlalior, orly llal
pailiculai pioducl is valid ir llal irslarce.
q~~=`
Heie aie lle lypogiaplical corverliors used lliougloul lle maruals:
`=
` a
drf=c Used lo depicl giaplical usei inleiface (GUI) objecls, sucl as fields,
lislboxes, menu commands, and so on. Ioi example: Lnlei youi
passwoid in lle m~ field.
f~ Used foi placeloldei lexl, book lilles, new leims, oi emplasis. Replace
placeloldei lexl will youi specific lexl. Ioi example: Replace ~
will lle name of youi file. Do use file names llal conlain spaces.
NetBackup_AdminGuide_Encryption_50.book Page x Friday, November 7, 2003 1:48 PM
Iieface xi
Convenlions
You slould use lle appiopiiale corverliors foi youi plalfoim. Ioi example, wler
specifyirg a pall, use backslasles or Miciosofl Wirdows ard slasles or UNIX.
Sigrificarl diffeierces belweer lle plalfoims aie roled ir lle lexl.
Tips, roles, ard cauliors aie used lo emplasize irfoimalior. Tle followirg samples
desciibe wler eacl is used.
Tip Used foi rice-lo-krow irfoimalior, like a sloilcul.
Note Used foi impoilarl irfoimalior llal you slould krow, bul llal slouldr'l cause ary
damage lo youi dala oi youi syslem if you cloose lo igroie il.
Caution Used foi irfoimalior llal will pieverl a pioblem. Igroie a caulior al youi owr
iisk.
`~=r~
Tle followirg corverliors aie fiequerlly used ir lle syropsis of commard usage.
biackels | j
Tle erclosed commard lire comporerl is oplioral.
Veilical bai oi pipe (|)
Sepaiales oplioral aigumerls fiom wlicl lle usei car cloose. Ioi example, wler a
commard las lle followirg foimal:
command arg1|arg2
Ir llis example, lle usei car use eillei lle ~N oi ~O=vaiiable.
Code Used lo slow wlal commands you need lo lype, lo idenlify pallnames
wleie files aie localed, and lo dislinguisl syslem oi applicalion lexl llal
is displayed lo you oi llal is pail of a code example.
Key+Key Used lo slow llal you musl lold down lle fiisl key wlile piessing lle
second key. Ioi example: Clil+S means lold down lle Clil key wlile
you piess S.
Conventions (continued)
` a
NetBackup_AdminGuide_Encryption_50.book Page xi Friday, November 7, 2003 1:48 PM
Convenlions
xii k_~=b=p=^~=d
k~~=j=j=i
Wler ravigalirg mulliple meru levels, a giealei-llar sigr (>) is used lo irdicale a
corlirued aclior.
Tle followirg example slows low lle > is used lo corderse a seiies of meru selecliors
irlo ore slep:
Selecl p~ > m~ > sbofq^p=k_~ > k_~=^~=
`.
Tle coiiespordirg acliors could be desciibed ir moie sleps as follows:
NK Click p~ ir lle lask bai.
OK Move youi cuisoi lo m~.
PK Move youi cuisoi lo lle iigll ard liglligll sbofq^p=k_~.
QK Move youi cuisoi lo lle iigll. Iiisl liglligll ard ller click k_~=
^~=`.
NetBackup_AdminGuide_Encryption_50.book Page xii Friday, November 7, 2003 1:48 PM
1
f
N
Nelackup Erciyplior is a sepaialely piiced pioducl llal piovides file-level erciyplior
of backups ard aiclives. Tleie aie lwo veisiors:
Erciyplior will 40-bil DES.
Erciyplior will 56-bil DES (also ircludes 40-bil DES).
TerminoIogy
Tlese leims will be useful ir urdeislardirg ard usirg Nelackup Erciyplior.
abp
DES (Dala Erciyplior Slardaid) is a symmeliic-erciyplior block ciplei. Tle same seciel
erciyplior key is used lo erciypl ard deciypl lle dala. Nelackup Erciyplior uses DES
lo erciypl backups.
RSJ=abp=h
A slardaid DES erciyplior key is 56 bils lorg.
QMJ=abp=h
A 40-bil DES key is lle same as a 56-bil DES key excepl llal 16 bils aie always sel lo zeio.
h=c
A key file is a file or a Nelackup Erciyplior clierl. Tle dala ir lle key file is used lo
gereiale DES keys llal aie used lo erciypl a clierl's backed up files. Tle pall rame of lle
key file is defired ir lle clierl's CRYPT_KEYFILE corfiguialior oplior. A key file is
ciealed oi updaled wler a pass pliase is specified will lle bpinst commard or a
Nelackup maslei seivei oi lle bpkeyfile commard or a clierl.
NetBackup_AdminGuide_Encryption_50.book Page 1 Friday, November 7, 2003 1:48 PM
Teclnical Oveiview
2 k_~=b=p=^~=d
m~=m~
A pass pliase is like a passwoid excepl llal il is usually lorgei. Ir Nelackup, a pass
pliase is clecksummed ir oidei lo gereiale DES erciyplior keys. Iass pliases used by
Nelackup car be fiom 0 lo 63 claiacleis lorg. To avoid compalibilily pioblems belweer
syslems, iesliicl lle claiacleis ir a pass pliase lo piirlable ASCII claiacleis. Tlese aie
lle claiacleis fiom Space (code 32) lo lilde (code 126) ir lle ASCII collalirg sequerce.
k_~=m~=m~
A Nelackup pass plase is used lo gereiale dala placed ir a clierl's key file. Tle dala ir
lle key file is used lo gereiale DES keys used lo erciypl a clierl's backed up files. You car
updale lle Nelackup pass plase foi a clierl's key file by specifyirg lle
-passphrase_prompt oplior or lle bpinst commard fiom a maslei seivei oi by
specifyirg lle -change_netbackup_pass_phrase oplior or lle bpkeyfile
commard or a clierl.
h=c=m~=m~
A key file pass pliase is used lo gereiale lle DES key llal is used lo erciypl lle key file
or a Nelackup clierl. You car eillei use Nelackup's slardaid key file pass pliase oi
use youi owr key file pass pliase by specifyirg lle -change_key_file_pass_phrase
oplior or lle bpkeyfile commard or a clierl.
p~~=h=c=m~=m~
Tle slardaid key file pass pliase is laidcoded irlo Nelackup piogiams. If lle key file is
erciypled usirg lle DES key gereialed fiom lle slardaid key file pass pliase,
Nelackup piogiams car aulomalically deciypl ard iead lle key file.
TechnicaI Overview
Tlis is ar oveiview of low Nelackup Erciyplior opeiales duiirg backups ard iesloies.
e=~=b=_~=t
Tle seivei deleimires fiom a policy alliibule wlellei lle backup slould be erciypled.
Tle seivei ller correcls lo bpcd or lle clierl lo iriliale lle backup ard passes lle
Erciyplior policy alliibule or lle backup iequesl. Tle clierl compaies lle Erciyplior
policy alliibule lo lle CRYPT_OPTION ir lle corfiguialior or lle clierl.
If lle policy alliibule is yes ard CRYPT_OPTION is REQUIRED oi ALLOWED, lle clierl
will peifoim ar erciypled backup.
Claplei 1, Inlioduclion
Teclnical Oveiview
3
If lle policy alliibule is yes ard CRYPT_OPTION is DENIED, lle clierl will rol
peifoim lle backup.
If lle policy alliibule is no ard CRYPT_OPTION is ALLOWED oi DENIED, lle clierl will
peifoim a ror-erciypled backup.
If lle policy alliibule is ro ard CRYPT_OPTION is REQUIRED, lle clierl does rol
peifoim lle backup.
Tle followirg lable slows lle lype of backup peifoimed foi eacl of lle above cordiliors:
Tle pieiequisiles foi erciyplirg a backup aie as follows:
Tle erciyplior soflwaie musl be loaded irlo lle diiecloiy or lle clierl llal is
specified by lle CRYPT_LIBPATH corfiguialior erliy.
Tle erciyplior soflwaie musl irclude lle 40-bil DES libiaiy. Tle rame of lle 40-bil
DES libiaiy is libvdes40. wleie is so, sl, oi dll deperdirg or lle
clierl plalfoim.
If lle CRYPT_STRENGTH corfiguialior oplior is sel lo DES_56, lle erciyplior
soflwaie musl also irclude lle 56-bil DES libiaiy. Tle rame of lle 56-bil DES libiaiy
is libvdes56. wleie =is so, sl, oi dll deperdirg or lle clierl plalfoim.
A key file musl exisl as specified will lle CRYPT_KEYFILE corfiguialior oplior. Tle
key file is ciealed wler specifyirg a Nelackup pass pliase will lle bpinst
commard fiom lle maslei seivei oi lle bpkeyfile commard fiom lle clierl.
If lle above cordiliors aie mel ard lle backup is lo be erciypled, lle followirg occuis:
NK Tle clierl lakes lle lalesl dala fiom ils key file ard meiges il will lle cuiierl lime
(lle backup lime) lo gereiale a DES key. Ioi 40-bil DES, 16 bils of lle key aie always
sel lo zeio.
OK Ioi eacl file backed up:
Tle clierl cieales ar erciyplior tar leadei. Tle tar leadei corlairs a clecksum
of lle DES key used foi erciyplior.
b=m=^
`ovmq|lmqflk v k
REQUIRED Lnciypled None
ALLOWED Lnciypled Non-enciypled
DENIED None Non-enciypled
Teclnical Oveiview
4 k_~=b=p=^~=d
Tle clierl wiiles lle file dala erciypled will lle DES key.
k Orly file dala is erciypled. Iile rames ard alliibules aie rol erciypled.
PK Tle seivei ieads lle file rames, alliibules, ard dala fiom lle clierl ard wiiles llem lo
a backup image or lle seivei. Tle seivei DOES NOT peifoim ary erciyplior oi
deciyplior of lle dala. Tle backup image or lle seivei ircludes lle backup lime ard
a flag irdicalirg wlellei lle backup was erciypled.
e=~=b=o=t
Tle seivei deleimires fiom lle backup image wlellei lle backup was erciypled. Tle
seivei ller correcls lo bpcd or lle clierl lo iriliale lle iesloie. Tle seivei serds lo lle
clierl ar erciyplior flag ard backup lime fiom lle backup image or lle iesloie iequesl.
Tle pieiequisiles foi iesloiirg ar erciypled backup aie as follows:
Tle erciyplior soflwaie musl be loaded irlo lle diiecloiy or lle clierl specified by
lle CRYPT_LIBPATH corfiguialior oplior.
Tle erciyplior soflwaie musl irclude lle 40-bil DES libiaiy. Tle rame of lle 40-bil
DES libiaiy is libvdes40. wleie is so, sl, oi dll deperdirg or lle
clierl plalfoim.
If lle CRYPT_STRENGTH corfiguialior oplior is sel lo DES_56, lle erciyplior
soflwaie musl also irclude lle 56-bil DES libiaiy. Tle rame of lle 56-bil DES libiaiy
is libvdes56. wleie suffix is so, sl, oi dll deperdirg or lle clierl plalfoim.
A key file musl exisl as specified will lle CRYPT_KEYFILE corfiguialior oplior. Tle
key file slould lave beer ciealed wler specifyirg a Nelackup pass pliase will lle
bpinst commard fiom lle maslei seivei oi lle bpkeyfile commard fiom lle
clierl.
If lle above cordiliors aie mel, lle followirg occuis:
Tle seivei serds file rames, alliibules, ard erciypled file dala lo lle clierl lo be
iesloied.
Tle clierl lakes ils key file dala ard meiges il will lle backup lime lo gereiale ore oi
moie 40-bil DES keys. If lle 56-bil DES libiaiy is available, lle clierl also gereiales
ore oi moie 56-bil DES keys.
If lle clierl ieads ar erciyplior lai leadei, lle clierl compaies lle clecksum ir lle
leadei will lle clecksums of ils DES keys. If lle clecksum of a DES key malcles lle
clecksum ir lle leadei, llal DES key will be used lo deciypl lle file dala.
Tle file is deciypled ard iesloied if a DES key is available. If lle DES key is rol
available, lle file is rol iesloied ard ar eiioi message is gereialed.
5
f~~==~=j~=p
O
You musl fiisl irslall Nelackup Erciyplior or eillei a UNIX oi Wirdows Nelackup
maslei seivei. Wler llis irslallalior is complele, you car ller irslall ard corfiguie il or
lle clierls as explaired ir lle Corfiguialior claplei.
InstaIIation Prerequisite
Tle maslei seiveis foi lle clierls llal iequiie erciypled backups musl be iurrirg
Nelackup 5.0 seivei soflwaie. Ioi a lisl of lle plalfoims or wlicl you car irslall
Nelackup Erciyplior, see lle k_~=o~=k.
k Ir a clusleied erviiormerl, you musl fieeze lle aclive rode so llal migialiors do
rol occui befoie you slail irslallirg ary add-ors. Refei lo lle clusleiirg seclior ir
lle k_~=e=^~~=p=^~=d llal peilairs lo lle lype
of cluslei soflwaie you aie iurrirg foi moie irfoimalior or low lo fieeze a seivice
gioup.
InstaIIing on a UNIX NetBackup Master Server
NK Log ir as lle iool usei or lle Nelackup UNIX maslei seivei.
OK Make suie a valid licerse key foi Nelackup Erciyplior (40 oi 56-bil) las beer
iegisleied by execulirg lle followirg commard lo lisl ard add keys:
/usr/openv/netbackup/bin/admincmd/get_license_key
PK Irseil lle CD-ROM corlairirg lle Nelackup Erciyplior soflwaie (40 oi 56-bil) ir
lle diive.
QK Clarge youi woikirg diiecloiy lo lle CD-ROM diiecloiy:
cd /cd_rom_directory
Inslalling on a Windows Nelackup Maslei Seivei
6 k_~=b=p=^~=d
Wleie cd_rom_directory is lle pall lo lle diiecloiy wleie you car access lle
CD-ROM. Or some plalfoims, il may be recessaiy lo mourl llis diiecloiy.
RK To irslall Nelackup Erciyplior, execule lle followirg:
./install
A message slales wlicl veisior of Nelackup Erciyplior will be irslalled. Wler
asked if you warl lo corlirue, arswei y.
SK Ir a clusleied erviiormerl, sleps 1 - 5 musl be execuled or eacl rode ir lle cluslei.
TK Irslall soflwaie or lle clierls.
Ioi mosl Nelackup clierls, you car irslall (pusl) lle erciyplior soflwaie fiom lle
maslei seivei lo lle clierl. Ioi delails, see Corfiguiirg fiom lle Maslei Seivei or
page 9.
k Ir a clusleied erviiormerl, lle capabilily lo pusl lo a clierl is orly allowed
fiom lle piimaiy rode.
Howevei, lle clierl musl allow seivei wiiles lo irslall fiom lle seivei. Or a UNIX
clierl, llis mears llal DISALLOW_SERVER_WRITES carrol be pieserl ir lle
bp.conf file. Or Miciosofl Wirdows clierls, lle ^=== box
musl be selecled or lle d~ lab of lle Nelackup Corfiguialior dialog box.
(Oper llis dialog box by cloosirg ^[` ir lle clierl-usei irleiface).
If lle clierl does rol allow seivei wiiles, use lle mellod desciibed ir Corfiguiirg
Nelackup Erciyplior or lle Clierl or page 14.
k Ir a clusleied erviiormerl, aflei you lave successfully irslalled lle add-or,
urfieeze llis rode. Agair, iefei lo lle appiopiiale clusleiirg seclior ir lle
k_~=e=^~~=p=^~D=d foi moie irfoimalior or
low lo urfieeze a seivice gioup.
InstaIIing on a Windows NetBackup Master Server
NK Log ir as Admirislialoi or lle Miciosofl Wirdows Nelackup seivei.
OK Make suie a valid licerse key foi Nelackup Erciyplior (40 oi 56-bil) las beer
iegisleied by doirg lle followirg lo lisl ard add keys:
Claplei 2, Inslallalion on a Maslei Seivei
7
~K Iiom lle Nelackup Admirislialior wirdow, cloose e.
K Selecl e=> i=h=KKK.
Tle Nelackup Licerse Keys wirdow appeais. Exislirg keys aie lisled ir lle
lowei pail of lle wirdow.
K To iegislei a rew key, lype youi licerse key ir lle k== field ard click
^.
Tle rew licerse key appeais ir lle lowei pail of lle dialog box.
PK Irseil lle CD-ROM foi Nelackup Erciyplior ir lle diive.
QK If lle AuloIlay fealuie is erabled, lle AuloRur piogiam will allow you lo:
iowse lle corlerls of lle CD-ROM
Add oi iemove piogiams fiom youi syslem
View Nelackup Erciyplior foi Wirdows Readme files
Irslall Nelackup Erciyplior foi Wirdows
RK If lle AuloIlay fealuie is rol erabled, cloose o fiom lle p~ meru ard execule:
D:\NTCrypt\Setup.exe
Wleie D:\ is youi CD-ROM diive.
SK Iollow lle piompls ir lle irslall applicalior.
TK Irslall soflwaie or lle clierls.
Ioi mosl Nelackup clierls, you car irslall (pusl) lle erciyplior soflwaie fiom lle
maslei seivei lo lle clierl. Ioi delails, see Corfiguiirg fiom lle Maslei Seivei or
page 9.
k If you aie iurrirg Nelackup ir a clusleied erviiormerl, puslirg soflwaie lo
lle clierl is orly allowed fiom lle aclive rode.
k If you aie puslirg lle erciyplior soflwaie lo clierls localed ir a cluslei, specify
lle loslrames of lle irdividual rodes (rol lle viilual rames) ir lle lisl of
clierls.
8 k_~=b=p=^~=d
Howevei, lle clierl musl allow seivei wiiles lo irslall fiom lle seivei. Or a UNIX oi
Macirlosl clierl, llis mears llal DISALLOW_SERVER_WRITES carrol be pieserl ir
lle bp.conf file. Or Miciosofl Wirdows clierls, lle ^===
box musl be selecled or lle d~ lab of lle Nelackup Corfiguialior dialog box
(oper llis dialog box by clickirg ^ > ` ir lle clierl-usei irleiface).
If lle clierl does rol allow seivei wiiles, use lle mellod desciibed ir Corfiguiirg
Nelackup Erciyplior or lle Clierl or page 14.
9
`~
P
Tlis claplei explairs low lo corfiguie Nelackup Erciyplior ard corlairs lle followirg
secliors:
Corfiguiirg fiom lle Maslei Seivei
Corfiguiirg Nelackup Erciyplior or lle Clierl
Sellirg Erciyplior ir Nelackup Iolicies
Addilioral Key Iile Secuiily (UNIX clierls orly)
Tle CRYPT_OPTION, CRYPT_STRENGTH, CRYPT_LIBPATH, ard CRYPT_KEYFILE
corfiguialior opliors merliored ir llis claplei aie ir lle bp.conf file or UNIX clierls
ard ir lle iegisliy or Miciosofl Wirdows clierls. You car also use lle Nelackup
Admirislialior irleiface or a Wirdows Nelackup seivei lo corfiguie lle opliors
iemolely. Tley aie or lle b lab ir lle Clierl Iiopeilies dialog box (see lle
k_~=p=^~=d=foi delails).
Tlese opliors car be sel by lle bpinst -CRYPT commard (fourd ir
/usr/openv/netbackup/bin or UNIX syslems, ard
<install_path>\netbackup\bin or Wirdows syslems). Tle equivalerl oplior
sellirgs foi llis commard aie -crypt_option, -crypt_strength, ard
-client_libraries, iespeclively. Tle CRYIT_KEYIILE is ciealed will lle oplior
-passphrase_prompt oi -passphrase -stdin.
Configuring from the Master Server
You car corfiguie mosl Nelackup clierls foi erciyplior by usirg lle bpinst commard
fiom lle maslei seivei. Iieiequisiles irclude:
Tle Nelackup Erciyplior clierl soflwaie musl be irslalled ir a diiecloiy or lle
maslei seivei as desciibed ir lle Irslallalior or a Maslei Seivei claplei.
Tle Nelackup clierl soflwaie musl be iurrirg or plalfoims llal suppoil Nelackup
Erciyplior (see lle k_~=o~=k).
Tle Nelackup clierls musl be iurrirg Nelackup 5.0 oi lalei.
Configuiing fiom lle Maslei Seivei
10 k_~=b=p=^~=d
If lle maslei seivei is pail of a cluslei, all rodes ir lle cluslei musl lave lle same
keyfile.
Tle Nelackup corfiguialior or lle clierls musl allow seivei wiiles.
Or a UNIX clierl, llis mears llal DISALLOW_SERVER_WRITES carrol be pieserl ir
lle bp.conf file.
Or Miciosofl Wirdows clierls, lle ^=p=a=o box musl be
selecled. Ir lle ackup, Aiclive, ard Resloie ulilily, llis is or lle d~ lab of lle
Nelackup Clierl Iiopeilies dialog. (Oper llis dialog by seleclirg c >k_~=
`=mK)
If a clierl does rol allow seivei wiiles, eillei lempoiaiily clarge ils corfiguialior so
wiiles aie allowed oi use lle mellod desciibed ir Corfiguiirg Nelackup
Erciyplior or lle Clierl or page 14.
Tle bpinst commard is loaded irlo lle Nelackup bin diiecloiy or lle maslei seivei.
Ioi a Wirdows seivei, lle bin diiecloiy is:
install_path\NetBackup\bin
Ioi a UNIX seivei, lle bin diiecloiy is:
/usr/openv/netbackup/bin
See lle bpinst commard desciiplior ir lle k_~=`~ guide foi delails or lle
opliors llal aie available will lle bpinst commard. Tle followirg secliors corlair
seveial examples of low lo use bpinst.
Noimally, you specify clierl rames ir lle bpinst commard. Howevei, if you irclude lle
-policy_names oplior, you will specify policy rames irslead. Tlis will affecl all clierls
ir lle specified policies.
Read This If CIients Have Not Been PreviousIy Configured
If you aie usirg bpinst -CRYPT lo corfiguie erciyplior or clierls llal weie rol
pieviously corfiguied foi erciyplior, ersuie llal you pusl lle erciyplior libiaiies lo lle
clierls fiisl will ore bpinst commard ard ller corfiguie lle erciyplior pass pliase
will a sepaiale bpinst commard. Ioi example:
bpinst -CRYPT -client_libraries /usr/openv/lib/client clientname1
bpinst -CRYPT -passphrase_prompt clientname1
If you liy lo specify boll lle -client_libraries ard -passphrase_prompt
aigumerls or lle same commard lire, lle pass pliase corfiguialior car fail because lle
erciyplior libiaiies aie rol yel available or lle clierl.
Claplei 3, Configuialion
11
k If you aie iurrirg Nelackup ir a clusleied erviiormerl, puslirg soflwaie lo lle
clierl is orly allowed fiom lle aclive rode.
k If you aie puslirg lle erciyplior soflwaie lo clierls localed ir a cluslei, specify lle
loslrames of lle irdividual rodes (rol lle viilual rames) ir lle lisl of clierls.
Pushing NetBackup Encryption Software to CIients
k Tle suppoiled plalfoims seclior of lle k_~=o~=k defires wlicl
Nelackup clierls car suppoil erciyplior.
You car use lle -client_libraries oplior or lle bpinst commard lo copy
erciyplior soflwaie fiom lle maslei seivei lo Nelackup clierls.
Assume llal you warl lo irslall lle clierl soflwaie or clierl1 ard clierl2. You would
erlei a commard like llis (all or ore lire):
bpinst -CRYPT -client_libraries /usr/openv/lib/client client1 client2
Assume llal you warl lo irslall lle clierl soflwaie or all clierls ir lle Nelackup policies
policy1 ard policy2. You would erlei a commard like llis (all or ore lire):
bpinst -CRYPT -client_libraries /usr/openv/lib/client -policy_names
policy1 policy2
Ioi Wirdows maslei seiveis, you would use lle followirg commards:
bpinst.exe -CRYPT -client_libraries ignore client1 client2
bpinst.exe -CRYPT -client_libraries ignore policy_names client1
client2
k Or a Wirdows maslei seivei, lle -client_libraries oplior musl be specified
will lle ignore aigumerl.
12 k_~=b=p=^~=d
Pushing the NetBackup Encryption Configuration to CIients
You car use lle -crypt_option ard -crypt_strength opliors or lle bpinst
commard lo sel erciyplior-ielaled corfiguialior or Nelackup clierls.
Tle -crypt_option oplior specifies wlellei lle clierl slould dery erciypled
backups (denied), allow erciypled backups (allowed), oi iequiie erciypled
backups (required).
Tle -crypt_strength oplior specifies lle DES key lergll (40 oi 56) llal lle clierl
slould use foi erciypled backups.
Assume llal you warl all clierls ir Nelackup policies policy1 ard policy2 lo iequiie
erciypled backups will a 56-bil DES key. You would erlei a commard like llis fiom a
UNIX Nelackup maslei seivei (lle commard is all or ore lire):
bpinst -CRYPT -crypt_option required -crypt_strength des_56
-policy_names policy1 policy2
Assume llal you warl clierl1 ard clierl2 lo allow eillei erciypled oi ror-erciypled
backups will a 40-bil DES key. You would erlei a commard like llis fiom a Wirdows
Nelackup maslei seivei (lle commard is all or ore lire):
bpinst.exe -CRYPT -crypt_option allowed -crypt_strength des_40 client1
client2
Pushing Encryption Pass Phrases to CIients
You car use lle -passphrase_prompt oi -passphrase_stdin oplior or lle bpinst
commard lo serd a pass pliase lo a Nelackup clierl. Tle Nelackup clierl uses lle pass
pliase lo cieale oi updale dala ir ils key file. Tle key file corlairs dala llal lle clierl uses
lo gereiale DES keys lo erciypl backups.
If you use lle -passphrase_prompt oplior, you aie piompled al youi leimiral foi
a zeio lo 63 claiaclei pass pliase. Tle claiacleis aie lidder wlile you lype lle pass
pliase. You aie piompled agair lo ielype lle pass pliase lo make suie llal is lle ore
you irlerded lo erlei.
13
If you use lle -passphrase_stdin oplior, you musl erlei lle zeio lo 63 claiaclei
pass pliase lwice lliougl slardaid irpul. Gereially, lle -passphrase_prompt
oplior is moie secuie llar lle -passphrase_stdin oplior, bul
-passphrase_stdin is moie corverierl if you use bpinst ir a slell sciipl.
Suppose you warl lo erlei a pass pliase foi lle clierl ramed clierl1 fiom a UNIX
Nelackup maslei seivei lliougl slardaid irpul. You would erlei commards like lle
followirg:
bpinst -CRYPT -passphrase_stdin client1 <<EOF
Use a better pass phrase than this
Use a better pass phrase than this
EOF
Suppose you warl lo erlei a pass pliase foi lle clierl ramed clierl2 fiom a Wirdows
Nelackup maslei seivei. You would erlei commards like lle followirg:
bpinst.exe -CRYPT -passphrase_prompt client2
Enter new NetBackup pass phrase: ********************
Re-enter new NetBackup pass phrase: ********************
You may erlei rew pass pliases faiily ofler. Tle Nelackup clierl keeps irfoimalior
aboul old pass pliases ir ils key file ard is able lo iesloie dala llal was erciypled will
DES keys gereialed fiom old pass pliases.
`~ Il is impoilarl llal you iemembei lle pass pliases ircludirg lle old pass
pliases. If a clierl's key file is damaged oi losl, you reed all of lle pievious
pass pliases ir oidei lo iecieale lle key file. Willoul lle keyfile, you will be
urable lo iesloie files llal weie erciypled will lle pass pliases.
Ore llirg you musl decide is wlellei lo use lle same pass pliase foi mary clierls. Usirg
lle same pass pliase is corverierl because you car use a sirgle bpinst commard lo
specify a pass pliase foi eacl clierl. You car also do iediiecled iesloies belweer clierls
llal use lle same pass pliase.
k If you warl lo pieverl iediiecled iesloies, you slould specify diffeierl pass pliases
foi eacl clierl. Tlis mears llal you will lave lo erlei a bpinst commard foi eacl
clierl.
Configuiing Nelackup Lnciyplion on lle Clienl
14 k_~=b=p=^~=d
Setting the Encryption Attribute in NetBackup PoIicies
Eacl Nelackup policy ircludes ar Erciyplior alliibule.
If lle alliibule is sel, lle Nelackup seivei iequesls llal Nelackup clierls ir llal
policy peifoim erciypled backups.
If lle alliibule is cleai, lle Nelackup seivei does rol iequesl llal Nelackup clierls
ir llal policy peifoim erciypled backups.
You car use lle Nelackup Admirislialior irleiface lo sel oi cleai lle Erciyplior
alliibule foi a policy.
You car also use lle bpinst commard lo sel oi cleai lle Erciyplior alliibule foi
Nelackup policies. Tlis is corverierl if you warl lo sel oi cleai lle alliibule foi seveial
policies.
Suppose you warl lo sel lle Erciyplior alliibule foi policy1 ard policy2 fiom a UNIX
Nelackup maslei seivei. You would erlei a commard like llis:
bpinst -CRYPT -policy_encrypt 1 -policy_names policy1 policy2
wleie 1 sels lle erciyplior alliibule (0 would cleai il).
Configuring NetBackup Encryption on the CIient
Ioi Miciosofl Wirdows ard UNIX clierls, you car corfiguie Nelackup Erciyplior
diieclly or lle clierl as explaired ir lle followirg lopics.
k Ir ielease 5.0,Mac OS 9 (ard eailiei) Macirlosl clierls aie ro lorgei suppoiled.
Clierls iurrirg Mac OS X 10.2.2 ard liglei aie suppoiled ard aie corsideied
UNIX clierls ir llis documerl.
Obtaining NetBackup Encryption Software
If lle clierl does rol allow seivei wiiles, you musl cooidirale will lle maslei seivei
admirislialoi lo oblair lle Nelackup Erciyplior soflwaie. Or a UNIX clierl, seivei
wiiles aie rol allowed if DISALLOW_SERVER_WRITES is pieserl ir lle bp.conf file. Or
Miciosofl Wirdows clierls, seivei wiiles aie rol allowed if lle ^===
box is rol selecled or lle d~ lab of lle Nelackup Corfiguialior dialog box
(oper llis dialog box by clickirg ^[` ir lle clierl-usei irleiface).
Tle Nelackup Erciyplior clierl soflwaie las beer irslalled or lle maslei seivei ir lle
followirg diiecloiies (by defaull):
Wirdows maslei seivei:
15
install_path\lib\client
UNIX maslei seivei:
/usr/openv/lib/client
Tle clierl diiecloiy corlairs diiecloiies will rames llal coiiespord lo lle vaiious
laidwaie plalfoims llal Nelackup Erciyplior suppoils. Tle laidwaie diiecloiies
corlair diiecloiies will rames llal coiiespord lo lle vaiious opeialirg syslems
suppoiled by Nelackup Erciyplior. Tle opeialirg syslem diiecloiies corlair lle
Nelackup libiaiy oi libiaiies foi llal laidwaie plalfoim ard opeialirg syslem.
You musl copy lle libiaiy oi libiaiies foi youi clierl plalfoim fiom lle maslei seivei lo
lle appiopiiale diiecloiy or youi clierl.
Tle diiecloiy or lle clierl is specified will lle CRYPT_LIBPATH corfiguialior oplior or
lle clierl.
Tle defaull diiecloiy foi Miciosofl Wirdows clierls is:
~|~\NetBackup\bin
Tle defaull diiecloiy foi UNIX clierls is:
/usr/openv/lib
Suppose you lave a Solaiis 8 clierl ard you lave peimissior lo ITI lo a UNIX Nelackup
maslei seivei lo gel youi Nelackup Erciyplior soflwaie. You would erlei commards
like llis:
cd /usr/openv
mkdir lib
cd lib
ftp master
ftp> cd /usr/openv/lib/client/Solaris/Solaris8
ftp> binary
ftp> mget *
ftp> quit
Tle libiaiy rames aie:
libvdes40.
libvdes56.
Ioi some plalfoims, we also piovide 64-bil libiaiies:
libvdes40_64.
libvdes56_64.
Wleie suffix is so, sl, oi dll deperdirg or lle plalfoim. You reed libvdes40.suffix lo use
40-bil DES keys. You reed boll libvdes40.suffix ard libvdes56.suffix lo use 56-bil DES
keys.
16 k_~=b=p=^~=d
Managing NetBackup Encryption Configuration Options
Tleie aie foui erciyplior-ielaled corfiguialior opliors or a Nelackup clierl. Ersuie
llal llese opliors aie sel lo lle appiopiiale values foi youi clierl. Tlese will be sel if you
iur lle bpinst -CRYPT commard fiom lle maslei seivei lo lle clierl rame.
CRYPT_OPTION =
Defires lle erciyplior opliors or Nelackup clierls. Tle possible values foi
option aie:
denied|DENIED
Specifies llal lle clierl does rol peimil erciypled backups. If lle seivei
iequesls ar erciypled backup, il is corsideied ar eiioi. Tlis is lle defaull
value.
allowed|ALLOWED
Specifies llal lle clierl allows eillei erciypled oi urerciypled backups.
required|REQUIRED
Specifies llal lle clierl iequiies erciypled backups. If lle seivei iequesls ar
urerciypled backup, il is corsideied ar eiioi.
CRYPT_STRENGTH =
Defires lle erciyplior sliergll or Nelackup clierls. Tle possible values foi
strength aie:
des_40|DES_40
Specifies 40-bil DES erciyplior. Tlis is lle defaull value.
des_56|DES_56
Specifies 56-bil DES erciyplior.
CRYPT_LIBPATH = |~
Defires lle diiecloiy llal corlairs lle erciyplior libiaiies or Nelackup clierls.
Tle defaull value or UNIX syslems is:
/usr/openv/lib/
Tle defaull value or Wirdows syslems is:
~|~\NetBackup\bin\
Wleie install_path is lle diiecloiy wleie Nelackup is irslalled ard by defaull is
C:\VERITAS.
CRYPT_KEYFILE = |~
Defires lle file llal corlairs lle erciyplior keys or Nelackup clierls.
17
Tle defaull value or Wirdows syslems is:
~|~\NetBackup\bin\keyfile.dat
Tle defaull value or UNIX syslems is:
/usr/openv/netbackup/keyfile
Managing the NetBackup Encryption Key FiIe
k Tle key file musl be lle same or all rodes ir a cluslei.
Eacl Nelackup clierl llal does erciypled backups ard iesloies reeds a key file. Tle key
file corlairs dala llal lle clierl uses lo gereiale DES keys lo erciypl backups.
You car use lle bpkeyfile commard or lle clierl lo marage lle key file. Cleck lle
bpkeyfile commard desciiplior ir lle k_~=`~ guide foi a delailed
desciiplior.
Tle fiisl llirg you reed lo do is lo cieale a key file if il does rol alieady exisl. Tle key file
will exisl if you sel a passpliase fiom lle bpinst -CRYPT commard fiom lle maslei
seivei lo llis clierl rame. Tle file rame slould be lle same as lle file rame specified will
lle CRYPT_KEYFILE corfiguialior oplior.
Ioi Wirdows clierls, lle defaull key file rame is:
install_path\NetBackup\bin\keyfile.dat
Ioi UNIX clierls, lle defaull key file rame is:
/usr/openv/netbackup/keyfile
You reed lo decide low you warl lo erciypl lle key file. Tle key file is erciypled by a
DES key gereialed fiom a key file pass pliase. Usually, you will use lle slardaid key file
pass pliase wlicl is laidcoded irlo Nelackup applicaliors. Howevei, foi added
secuiily you may warl lo use youi owr key file pass pliase. See Addilioral Key Iile
Secuiily (UNIX clierls orly) or page 20 foi moie delails.
k If you do rol warl lo use youi owr key file pass pliase foi exlia pioleclior as
desciibed ir Addilioral Key Iile Secuiily (UNIX clierls orly) or page 20, do rol
erlei a rew key file pass pliase. Irslead, use lle slardaid key file pass pliase ard
erlei a rew Nelackup pass pliase (see below).
You also musl decide wlal Nelackup pass pliase lo use. Tle Nelackup pass pliase is
used lo gereiale lle dala llal is placed irlo lle key file. Tlal dala is used lo gereiale DES
keys lo erciypl backups.
Suppose you warl lo cieale lle defaull key file or a UNIX clierl erciypled will lle
slardaid key file pass pliase. You would erlei a commard like llis:
18 k_~=b=p=^~=d
bpkeyfile /usr/openv/netbackup/keyfile
Enter new key file pass phrase: (standard key file pass phrase)
Re-enter new key file pass phrase: (standard key file pass phrase)
Enter new NetBackup pass phrase: ***********************
Re-enter new NetBackup pass phrase: ***********************
You may erlei rew Nelackup pass pliases faiily ofler. Irfoimalior aboul old pass
pliases is kepl ir lle key file makirg il possible lo iesloie dala llal was erciypled will
DES keys gereialed fiom old pass pliases. You car use lle
-change_netbackup_pass_phrase (oi -cnpp) oplior or lle bpkeyfile commard
lo erlei a rew Nelackup pass pliase.
Suppose you warl lo erlei a rew Nelackup pass pliase or a Wirdows clierl. You
would erlei a commard like llis:
bpkeyfile.exe -cnpp ~|~\NetBackup\bin\keyfile.dat
Enter old key file pass phrase: (standard key file pass phrase)
Enter new NetBackup pass phrase: **********
Re-enter new NetBackup pass phrase: **********
`~ Il is impoilarl llal you iemembei lle pass pliases, ircludirg lle old pass
pliases. If a clierl's key file is damaged oi losl, you reed all of lle pievious
pass pliases ir oidei lo iecieale lle key file. Willoul lle keyfile, you will be
urable lo iesloie files llal weie erciypled will lle pass pliases.
Il is impoilarl llal lle key file be accessible lo orly lle admirislialoi of lle clierl
maclire. Ioi a UNIX clierl, llis mears llal ils owrei is iool, ils mode bils 600, ard il
slould rol be or a file syslem llal car be NIS mourled.
You reed lo corsidei wlellei lo back up youi key file. Ioi erciypled backups, backirg
up lle key file is of lillle value sirce lle key file car orly be iesloied if lle key file is
alieady or lle clierl.
You migll corsidei sellirg up a Nelackup policy llal does ror-erciypled backups of
lle key files of lle clierls. Tlis will be useful if ar emeigercy iesloie of lle key file is
iequiied. Howevei, llis also mears llal a usable veisior of ore clierl's key file could be
iesloied or a diffeierl clierl.
If you warl lo pieverl lle key file fiom beirg backed up, add lle key file's pall rame lo
lle clierl's exclude lisl.
Selling Lnciyplion in Nelackup Iolicies
19
Redirected Restores of Encrypted FiIes
To iesloie ar erciypled backup llal was made by arollei clierl, do lle followirg:
NK Tle maslei seivei musl be corfiguied lo allow iediiecled iesloies, ard you (lle usei)
musl be aulloiized lo peifoim sucl iesloies. Refei lo lle k_~=p=
^~=d foi delails or iediiecled iesloies.
OK Oblair lle pass pliase llal lle ollei clierl used wler lle erciypled backup was
made. Willoul llal pass pliase, you will rol be able lo iesloie lle files.
k If youi pass pliase is lle same as lle ore used by lle ollei clierl, skip lo slep 5.
PK Move oi ierame youi owr (cuiierl) key file. Tlis pieseives youi key file wler you
cieale a rew ore ir lle rexl slep.
QK Usirg lle bpkeyfile commard, cieale ar erciyplior key file llal malcles lle ore
used by lle ollei clierl. Tle ollei clierl's pass pliase musl be specified by mears of
lle bpkeyfile commard:
bpkeyfile -change_key_file_pass_phrase key_file_path
wleie key_file_path is lle pall foi a rew key file or youi clierl. Tlis key file will
malcl lle key file used by lle clierl wlose files you warl lo iesloie.
Aflei erleiirg lle above commard, you will be piompled foi lle clierl's pass pliase
(oblaired ir slep 2). Ioi moie irfoimalior or lle bpkeyfile commard, iefei lo lle
k_~=`~=guide.
RK Resloie lle desiied files llal weie backed up by lle ollei clierl. Ioi lelp will
iediiecled iesloies, iefei lo lle k_~=r=d.
k Wler you lave firisled iesloiirg erciypled files fiom lle clierl, ierame oi delele
lle key file ciealed above, ard move oi ierame youi owr key file lo ils oiigiral
localior oi rame. If you do rol ie-eslablisl youi key file lo ils oiigiral
localior/rame, you may rol be able lo iesloie youi owr erciypled backups.
Setting Encryption in NetBackup PoIicies
Eacl Nelackup policy ircludes ar Erciyplior alliibule. Tlis alliibule musl be sel or a
maslei seivei. Ioi moie delails, see Corfiguiirg fiom lle Maslei Seivei or page 9.
Addilional Key Iile Secuiily (UNIX clienls only)
20 k_~=b=p=^~=d
AdditionaI Key FiIe Security (UNIX cIients onIy)
Tlis seclior applies orly lo UNIX Nelackup clierls. Tle addilioral secuiily desciibed
leie is rol available foi Wirdows clierls.
k We do rol iecommerd usirg lle addilioral key file secuiily fealuie ir a cluslei.
Tle key file foi ar Erciyplior clierl is erciypled usirg a DES key gereialed fiom a key
file pass pliase. y defaull, lle key file is erciypled usirg a DES key gereialed fiom lle
slardaid key file pass pliase llal is laidcoded irlo Nelackup.
Usirg lle slardaid key file pass pliase makes il possible lo peifoim aulomaled
erciypled backups ard iesloies ir mucl lle same way as ror-erciypled backups ard
iesloies.
Howevei, if ar uraulloiized peisor gairs access lo youi clierl's key file, llal peisor may
be able lo figuie oul wlal erciyplior keys you use foi backups oi use lle key file lo
iesloie youi clierl's erciypled backups. Tlal's wly il is impoilarl llal orly lle
admirislialoi of lle clierl slould lave access lo lle key file.
Ioi exlia pioleclior, you car use youi owr key file pass pliase lo gereiale lle DES key lo
erciypl lle key file. If ar uraulloiized peisor gairs access lo llis key file, il is mucl moie
difficull foi llal peisor lo use lle key file lo allempl lo iesloie youi clierl's backed up
files.
If you use youi owr key file pass pliase, backups ard iesloies aie ro lorgei as aulomaled
as befoie. Iollowirg is a desciiplior of wlal lappers or a UNIX Nelackup clierl if you
lave used youi owr key file pass pliase.
Wler a Nelackup seivei warls lo slail a backup oi iesloie or a clierl, il correcls lo lle
bpcd daemor or lle clierl ard makes a iequesl.
Noimally, bpcd is corfiguied ir lle /etc/inetd.conf file or lle clierl ard is irilialed
lliougl lle inetd daemor.
To peifoim ar erciypled backup oi iesloie, bpcd reeds lo deciypl ard iead lle key file.
If lle slardaid key file pass pliase is used, bpcd car deciypl lle key file aulomalically
ard lle roimal inetd mellod car be used lo iriliale bpcd.
If you use youi owr key file pass pliase, bpcd car ro lorgei deciypl lle key file
aulomalically ard lle inetd mellod carrol be used. You musl iriliale bpcd as a
slardalore piogiam, as desciibed ir lle followirg seclior.
k Ir a clusleied erviiormerl, if you clarge lle key file or ore rode, you musl make
lle same clarge ir lle key file or all rodes.
21
Running bpcd as a StandaIone Program
NK Edil lle /etc/inetd.conf file by iemovirg oi commerlirg oul lle bpcd erliy.
Tle bpcd erliy looks somellirg like llis:
bpcd stream tcp nowait root /usr/openv/netbackup/bin/bpcd bpcd
OK Ioice inetd lo ieiead ils corfiguialior file. Tle mellod lo foice inetd lo ieiead ils
corfiguialior file vaiies fiom plalfoim lo plalfoim. Tle easiesl mellod is lo iebool
lle maclire.
PK Clarge lle key file pass pliase. Use lle -change_key_file_pass_phrase (oi
-ckfpp) oplior or lle bpkeyfile commard lo do llis. Ioi example:
bpkeyfile -ckfpp /usr/openv/netbackup/keyfile
Enter old key file pass phrase: (standard key file pass phrase)
Enter new key file pass phrase: (standard key file pass phrase)
******
Re-enter new key file pass phrase: (standard key file pass
phrase) ******
If you lype a caiiiage ieluir al lle piompl, lle slardaid key file pass pliase will be
used.
QK Iriliale bpcd as a slardalore piogiam. Do llis by erleiirg lle bpcd commard will
lle -keyfile oplior ard ller erleiirg lle rew key file pass pliase wler piompled.
bpcd -keyfile
Please enter key file pass phrase: ******
bpcd row iurs ir lle backgiourd wailirg foi iequesls fiom lle Nelackup seivei.
You car clarge lle key file pass pliase al ary lime will lle bpkeyfile commard
ard lle -ckfpp oplior. Tle rew key file pass pliase does rol lake effecl urlil lle
rexl lime you slail bpcd.
You car also clarge lle Nelackup pass pliase (used lo gereiale lle DES keys lo
erciypl backups) al ary lime will lle bpkeyfile commard ard lle -cnpp oplior.
Howevei, lle rew Nelackup pass pliase does rol lake effecl urlil you kill lle
cuiierl bpcd piocess ard ieslail bpcd.
22 k_~=b=p=^~=d
Terminating bpcd
To leimirale bpcd or UNIX clierls, use lle ps commard lo fird ils piocess ID ard
issue lle kill commard foi llal piocess ID. Tler use ps lo veiify llal bpcd las
beer leimiraled. Ioi mosl UNIX clierls, you car use lle -ef aigumerl or lle ps
commard.
Ioi example:
ps -ef | grep bpcd
root 148 1 0 00:18:30 ? 0:00 bpcd
kill 148
ps -ef | grep bpcd
23
f
k
40-bil DLS key
inlioduclion 1
libiaiy 3, 4
56-bil DLS key
inlioduclion 1
libiaiy 4
^
accessibilily ix
allow seivei diiecled iesloies alliibule 14
allowed (enciyplion oplion) 16
alleinale clienl iesloie (see iediiecled
iesloie)
alliibule foi enciyplion 2
_
bp.conf file 14
bpcd 4
iunning 21
leiminaling 22
bpinsl command 3, 4
foi selling enciyplion alliibule 14
pusling pass pliases lo clienls 12
bpkeyfile command 3, 4, 17, 19, 21
`
clange_nelbackup_pass_pliase 18
clecksum of DLS key 3, 4
class
see policy
clienl libiaiies
copying fiom seivei 15
clienl_libiaiies oplion 10, 11
clusleied enviionmenls 13
cnpp oplion 18
configuialion
and clusleiing 10, 11
oplions 16
pusling lo clienls 12
configuiing
clienls foi enciyplion, fiom clienl 14
copying
clienl libiaiies fiom maslei seivei 15
enciyplion soflwaie lo clienls 11
CRYIT oplion 14
CRYIT_KLYIILL oplion 3, 4, 16, 17
CRYIT_LIIATH oplion 3, 4, 15, 16
CRYIT_OITION 2, 12, 16
CRYIT_STRLNGTH oplion 3, 4, 12, 16
a
deciyplion
of key file 20
oveiview 4
denied (enciyplion oplion) 16
DLS
Dala Lnciyplion Slandaid, defined 1
key clecksum 3, 4
DISALLOW_SLRVLR_WRITLS 14
b
enciypled backup, iesloiing 19
enciyplion
allow, deny, iequiie 16
alliibule, selling 14
configuialion oplions 16
configuiing fiom clienl 14
fealuie oveiview 1
file conlaining keys foi 16
libiaiies, defining 16
of key file 20
oveiview 2, 4
policy alliibule foi, low lo sel 2
pieiequisiles 3
pieiequisiles foi iesloiing 4
soflwaie, oblaining 14
sliengll, defining 16
lai leadei 3, 4
24 k_~=b=p=^~=d
wlal is and isn'l enciypled 4
d
glossaiy. p=Nelackup lelp.
f
ineld.conf 21
inslallalion
and clusleiing 6
clusleiing and 5
copying enciyplion lo clienls 11
diiecloiies 14
pusling configuialion lo clienls 12
pusling pass pliases lo clienls 12
h
key file 3, 4, 12
backing up 18
ciealing 17
defining 16
enciypling 17
enciypling will admin's pass pliase 20
foi iediiecled iesloie 19
in a cluslei 17, 20
inlioduclion 1
pass pliase 21
pass pliase, inlioduclion 2
key, inlioduclion 1
i
libiaiies
defining foi enciyplion 16
j
managing key file 17
manuals
ielaled viii
l
oblaining enciyplion soflwaie 14
oveiview
of enciyplion 2
of iesloie 4
m
pass pliase
foi enciypling key file 17, 20
foi iediiecled iesloie 19
inlioduclion 2
pusling lo clienls 12
passpliase_piompl oplion 12
passpliase_sldin oplion 12
ps command 22
pusling
configuialion lo clienls 12
pass pliases lo clienls 12
soflwaie lo clienls 11
o
iediiecled iesloie
of ollei clienl's backup 19
pievenling 13
ielaled manuals viii
iequiied (enciyplion oplion) 16
iesloie
of enciypled backup 19
oveiview 4
p
seivei wiiles nol allowed 14
selling enciyplion alliibule 14
soflwaie, oblaining 14
slandaid key file pass pliase
inlioduclion 2
q
lai leadei foi enciyplion 3, 4
leiminology 1

875 3538 10

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

875 3538 10

Загружено:

Авторское право:

Доступные форматы

title_page_template.

qxd 5/30/03 9:37 AM Page 1

Вам также может понравиться