unable to restore... AES256 encryption

DP 9.07. CM is running on RHEL 6.8

I'm trying to get EADR to work (to verify that it works, not because I need it to work) for a random DP client. 

I've generated an iso, mounted it as virtual media on the iLO, and have booted it. Because the original system is still online, I enter the shell and set up networking with an IP for a test host. I select Default restore. After some processing, I'm asked "Do you want to use AES key file for decryption [y/n]?"  No matter how I answer, Y or N, it eventually asks me to enter the path to the AES key file. 

I'm using disk based encryption, not software encryption.

But when I look in the srd recovery.srd file, I see "-encrypt aes256" associated with all of the filesystems, so I'm guessing this is why I'm being asked for an AES key file. Correct? 

If so, how do I find out where aes256 is set on my cell manager so that I can turn it off? When I grep for aes256 in my backup spec, I find nothing. 

Parents
  • Hi Redneck,

    seems someone enabled it either on the Filesystem Options (for the whole backup spec) or in the Object Properties (on a per object basis). This is a licensed feature that requires one encryption license per client. I don't see that widely used, because it makes hardware compression/deduplication on backup media nearly impossible.

    Please use the Accept Solution button next to my post and assign a KUDO (thumbs up icon) if this works for you.

    Regards,
    Sebastian Koehler

Reply
  • Hi Redneck,

    seems someone enabled it either on the Filesystem Options (for the whole backup spec) or in the Object Properties (on a per object basis). This is a licensed feature that requires one encryption license per client. I don't see that widely used, because it makes hardware compression/deduplication on backup media nearly impossible.

    Please use the Accept Solution button next to my post and assign a KUDO (thumbs up icon) if this works for you.

    Regards,
    Sebastian Koehler

Children
  • If that was set in the Filesystem Option or the Object Property, wouldn't aes256 show up in the backup spec?

    For example, my backup spec currently looks like:

    # grep -i aes256 All_Physical_Clients_Inc
    # echo $?
    1

    And here's what it looks like after I set AES256 on one system:

    # grep -i aes256 All_Physical_Clients_Inc
    -encode "aes256"
    # echo $?
    0

    So, is there some place that aes256 could be set such that its presence wouldn't be required in a backup spec?

     

     

  • The second option is that encryption was enabled on the backup device (LTO4 and later) and an offline restore is performed. In this case the encryption key must be supplied. An offline restore happens when client with the MiniOS (EADR recovery image) is not able to ask the Cell Manager for the encryption key via the network. Is this the case? Maybe due to your temporary address assigned.

    Regards,
    Sebastian Koehler

  • All my drives are LTO-5 or LTO-6. 

    When I use omnidownload to look at their settings, I see 'ENCRYPT' in the output. But I don't see any way to change that using the GUI.

    I did perform an offline restore. But when I changed the network settings, ping worked fine both to and from the test system. It should have had no problems communicating with the cell manager. However, I'll try a restore without changing the networking, though I think the test host would have problems communicating with the cell manager, because linux tends to check if an IP is in use before bringing the network interface up.

    Thanks for your help, Sebastian.

  • You are looking for this option in GUI. Device & Media => Device Properties.

    When I say "Offline Restore" I mean it from an EADR perspective. Here is a section from DisasterRecovery.pdf.

    Note that Data Protector first tries to perform an online restore. If the online restore fails for
    any reason (for example, the Cell Manager or network service is not available or firewall is
    preventing access to the Cell Manager) Data Protector tries to perform remote offline recovery. If
    the remote offline restore fails (for example, because the Media Agent host accepts requests only
    from the Cell Manager), Data Protector performs a local offline restore.

    Please use the Accept Solution button next to my post and assign a KUDO (thumbs up icon) if this works for you.

    Regards,
    Sebastian Koehler

  • Well, it seems that while Linux checks to see if an IP is in use, DR-OS does not. Grrr.

     

    What I did was to modify the recovery.srd file to replace "-encrypt aes256" with "-encrypt none". The restore is now progressing. There are notes in the output that drive based encryption is being used.

     

    I'll file a support request asking why my modification enabled the restore to run.

    Thanks for your assistance, Sebastian.