Admiral
Admiral
4890 views

Not able to do software encrypted backup

Jump to solution

Hi Everybody,

 

I am using Data Protector A.06.20 upgraded from A.06.00. Now I am trying to encrypt my backup but noy able to do.

I am generating a keys using omnikeytool -create then perform the backup then try to restore it.

Now I try to restore on some other machine and it restore directly without asking decrypting it.

 

Anyhelp on this how to do encryption on 6.20.

Attaching some screeshot for reference.

 

Anyhelp will be very much appreciated.

 

Regards

Syed

Tags (1)
0 Likes
1 Solution

Accepted Solutions
Admiral Admiral
Admiral

Hi Syed,

 

AES-256 SW encryption was first introduced to DP after DP6.00 was already released. At that time there were no license restrictions. Each DA or MA was responsible for its own keys and there was a lot of manual effort involved (as you have described) to restore data to other clients or via other media servers.

 

When DP6.10 was released SW encryption became a licensable feature, I think mostly due to the fact that there was a centalised keystore on the cell manager and automatic key generation.

 

There is no way in DP6.2 to use the same functionality you used in DP6.0 without buying an encryption license.

 

So you have 2 options now to continue to use encryption with DP:

 

1) Buy the appropriate sw encryption license

 - or -

2) Upgrade your tape device & media to LTO4 or LTO5 and use HW encryption which doesn't need a license

 

The option Encode is not as secure as encryption and only protects over the network data transfers, here is what the help files say about it:

 

Data Protector lets you encode filesystem and disk image data to prevent others from accessing this data while it is being transferred over the network. Data is encoded before it is transferred over the network and before it is written to media. By default, the encode option is set to OFF.

 

Data Protector offers a simple built-in XOR algorithm implemented in a shared C program library. Since Data Protector provides the API used by the Disk Agent to interface with the data encoding module, you can substitute your own internal data encoding algorithms for greater security. Do this by writing your own data encoding module, compiling it into a library, and substituting the new library for the default Data Protector library. Note that after changing the encoding library, a full backup should be performed.

 

The reason your message says "Data Protector library used for encoding" is because you haven't written your own code and substituted the default DP library.

 

Hope this helps you a bit!

 

regards,
jenni

--------------------------------------------------------------------------------
If my post was useful, please click on KUDOS!

View solution in original post

19 Replies
Micro Focus Expert
Micro Focus Expert

You don't need to create any keys in advance, since this is done by Data Protector during runtime. For example I did a encrypted backup yesterday. (just enabled the flag on the target device in the backup job / see screenshot)

 

You find the following in the session log...

 

[Normal] From: BMA@ma.domain.com "LTO4_D1"  Time: 31.01.2012 19:57:30
    Drive based encryption enabled.

 

The key is created and stored in the IDB keystore.

 

O:\OmniBack\bin>omnikeytool.exe -list

Encryption keys in StoreID: 681B7D50000000000000000000000000

Flags              KeyID               Date       Time    Type         Description
-------------------------------------------------------------------------------------------------
--A  0019BBCF6A149A39284F000000000000 2012-01-31 19:57:30 AES256_CTR Automatic key creation

 

If you check the media after backup, you will see status, encrypted = yes. (see screenshot)

 

Regards,

Sebastian

---
Please use the Like button below, if you find this post useful.
Admiral
Admiral

Hi Sebastian,

 

Thaks for your reply and screenshot. But I am trying to do software based encryption not drive based encryption as I am using LTO-3 only.

 

 

So can you please share with me the steps and screenshot for enabling software based encryption in Data Protector 6.20.

 

Regards

Syed

0 Likes
Admiral Admiral
Admiral

Hi Syed,

 

In the Backup Tab right click the filesystem backup that you wish to encode and select properties.

Now switch to Options and select the middle advanced button (filesystem options advanced)

Now switch to Other tab in the pop-up options and in the Data Security drop-down box select AES 256-bit.

Apply your changes and your backup specification will use sw encryption and encrypt your backups.

 

P.S. Be prepared for a much slower throughput than before, sw encryption can also be very resource intensive on the client so make sure that there are free resources (RAM & CPU but mostly RAM)

 

You can also encrypt integration backups in the same way - via options advanced options tab.

 

To encrypt your DP IDB backup you need to do this via the backup object summary tab (Select the IDB then select properties -> other -> data security -> AES 256-bit)

 

Finally if you are encrypting your IDB backup then make sure that you write a small script to export your encryption key database out into CSV format somewhere safe (then ideally email it to an external email - googlemail /hotmail or similar). If you ever need to DR your database you will need this csv file to import the keys into the new installation otherwise you won't be able to restore your IDB from tape. (Search the CLIR for omnikeytool, this is the command you need to export the keystore database)

 

Good Luck!

regards,
jenni

--------------------------------------------------------------------------------
If my post was useful, please click on KUDOS!
Admiral
Admiral

Hi Jenni,

 

Thanks for describing so briefly about doing software encryption. I have followed your steps but then too I am not able to encrypt my backup.

 

Attaching the screenshot for your reference.

 

Regrads

Syed

0 Likes
Admiral Admiral
Admiral

Sorry Syed, it's been a while since I used SW encryption and they changed the process! I've edited my earlier post so its correct now. You're nearly there, you just need to change your selection in data security to AES 256-bit and this should do it.

 

You learn something new everyday with DP don't you, thanks for the heads-up! 🙂

regards,
jenni

--------------------------------------------------------------------------------
If my post was useful, please click on KUDOS!
Micro Focus Expert
Micro Focus Expert
Please remember that a encryption extension (BB618AA or BB618BA) is required per client used for software encrypted backup. It has one advantage over the hardware encryption, the data between MA and DA is encrypted as well which can be used on less secure networks.

Regards,
Sebastian
---
Please use the Like button below, if you find this post useful.
Admiral
Admiral

Hello Sebastian & jenny,

 

Sorry I was on leave so responding bit late.Many thanks for your support and sharing of knowledge.

 

Today I tried to select AES256 and perform backup it gave me error no license installed for media & disk agent. As Sebastian already informed that I need a license for it.Its ok.  But i have a queries that before upgrading to A.06.20 in A.06.00 when i used to select encode from advanced option I was able to encrypt my backup but why not same thing in A.06.20?

 

I will try to expalin my scenarios in A.06.00

I used to take encrypted backup of my 2 node cluster server. Before taking the encrypted backup I just used to go on each client node and generate a key with omnikeytool. Now suppose I have to restore my node1 backup on node 2 i just used to rename the node2 file copy the omnikey file of node1 to node2 and it will restore.

 

Any such procedure is availaibile on A.06.20?

 

Also when I am selecting Encode in A.06.20 & perform backup I am getting message "Data Protector library used for encoding". What does it mean??

 

Thaks alot for all your support.

 

Regards

Syed

Tags (1)
0 Likes
Admiral Admiral
Admiral

Hi Syed,

 

AES-256 SW encryption was first introduced to DP after DP6.00 was already released. At that time there were no license restrictions. Each DA or MA was responsible for its own keys and there was a lot of manual effort involved (as you have described) to restore data to other clients or via other media servers.

 

When DP6.10 was released SW encryption became a licensable feature, I think mostly due to the fact that there was a centalised keystore on the cell manager and automatic key generation.

 

There is no way in DP6.2 to use the same functionality you used in DP6.0 without buying an encryption license.

 

So you have 2 options now to continue to use encryption with DP:

 

1) Buy the appropriate sw encryption license

 - or -

2) Upgrade your tape device & media to LTO4 or LTO5 and use HW encryption which doesn't need a license

 

The option Encode is not as secure as encryption and only protects over the network data transfers, here is what the help files say about it:

 

Data Protector lets you encode filesystem and disk image data to prevent others from accessing this data while it is being transferred over the network. Data is encoded before it is transferred over the network and before it is written to media. By default, the encode option is set to OFF.

 

Data Protector offers a simple built-in XOR algorithm implemented in a shared C program library. Since Data Protector provides the API used by the Disk Agent to interface with the data encoding module, you can substitute your own internal data encoding algorithms for greater security. Do this by writing your own data encoding module, compiling it into a library, and substituting the new library for the default Data Protector library. Note that after changing the encoding library, a full backup should be performed.

 

The reason your message says "Data Protector library used for encoding" is because you haven't written your own code and substituted the default DP library.

 

Hope this helps you a bit!

 

regards,
jenni

--------------------------------------------------------------------------------
If my post was useful, please click on KUDOS!

View solution in original post

Admiral
Admiral

Hi Jenni,

 

Thanks alot for your support and describing so briefly on the topic.

 

I am planning to buy the required license as changing the tape drive & tape is bit difficult because of so hoge old backup. Once I buy the license and able to encrypt my backup I will update here.

 

Once again many Thanks Jenni & Sebastian for your wonderful support. I didn't get such support even from HP Data Protector Team also.

 

Regards

Syed

0 Likes
Admiral
Admiral

Hello Experts,

 

I am planning to buy license for software encryption license for data protector. We are buying BB618AAE same product as mentioned by Sebastian.

But HP is telling that prior to buy BB618AAE we should must have B6961BAE (This is basically the 6.20 DP cell Manager).

Now my question is that I have purchased license for DP A.06.00 then upgraded to A.06.20. So if I want to buy the BB618AAE product I can buy or not??

 

many thanks for all your support.

 

Regards

Syed

0 Likes
Admiral
Admiral

Sorry missed 1 queries.

 

After enabling AES software encryption backup, Has the encryption

an impact to the backup performance?

 will backup become slow after enabling AES?

 

Regards

Syed

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.