Highlighted
Valued Contributor.
Valued Contributor.
610 views

unable to restore... AES256 encryption

DP 9.07. CM is running on RHEL 6.8

I'm trying to get EADR to work (to verify that it works, not because I need it to work) for a random DP client. 

I've generated an iso, mounted it as virtual media on the iLO, and have booted it. Because the original system is still online, I enter the shell and set up networking with an IP for a test host. I select Default restore. After some processing, I'm asked "Do you want to use AES key file for decryption [y/n]?"  No matter how I answer, Y or N, it eventually asks me to enter the path to the AES key file. 

I'm using disk based encryption, not software encryption.

But when I look in the srd recovery.srd file, I see "-encrypt aes256" associated with all of the filesystems, so I'm guessing this is why I'm being asked for an AES key file. Correct? 

If so, how do I find out where aes256 is set on my cell manager so that I can turn it off? When I grep for aes256 in my backup spec, I find nothing. 

0 Likes
6 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi Redneck,

seems someone enabled it either on the Filesystem Options (for the whole backup spec) or in the Object Properties (on a per object basis). This is a licensed feature that requires one encryption license per client. I don't see that widely used, because it makes hardware compression/deduplication on backup media nearly impossible.

2016-08-26_06h47_44.png

Please use the Accept Solution button next to my post and assign a KUDO (thumbs up icon) if this works for you.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

If that was set in the Filesystem Option or the Object Property, wouldn't aes256 show up in the backup spec?

For example, my backup spec currently looks like:

# grep -i aes256 All_Physical_Clients_Inc
# echo $?
1

And here's what it looks like after I set AES256 on one system:

# grep -i aes256 All_Physical_Clients_Inc
-encode "aes256"
# echo $?
0

So, is there some place that aes256 could be set such that its presence wouldn't be required in a backup spec?

 

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

The second option is that encryption was enabled on the backup device (LTO4 and later) and an offline restore is performed. In this case the encryption key must be supplied. An offline restore happens when client with the MiniOS (EADR recovery image) is not able to ask the Cell Manager for the encryption key via the network. Is this the case? Maybe due to your temporary address assigned.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

All my drives are LTO-5 or LTO-6. 

When I use omnidownload to look at their settings, I see 'ENCRYPT' in the output. But I don't see any way to change that using the GUI.

I did perform an offline restore. But when I changed the network settings, ping worked fine both to and from the test system. It should have had no problems communicating with the cell manager. However, I'll try a restore without changing the networking, though I think the test host would have problems communicating with the cell manager, because linux tends to check if an IP is in use before bringing the network interface up.

Thanks for your help, Sebastian.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

You are looking for this option in GUI. Device & Media => Device Properties.

2016-08-26_16h33_34.png

When I say "Offline Restore" I mean it from an EADR perspective. Here is a section from DisasterRecovery.pdf.

Note that Data Protector first tries to perform an online restore. If the online restore fails for
any reason (for example, the Cell Manager or network service is not available or firewall is
preventing access to the Cell Manager) Data Protector tries to perform remote offline recovery. If
the remote offline restore fails (for example, because the Media Agent host accepts requests only
from the Cell Manager), Data Protector performs a local offline restore.

Please use the Accept Solution button next to my post and assign a KUDO (thumbs up icon) if this works for you.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
Highlighted
Valued Contributor.
Valued Contributor.

Well, it seems that while Linux checks to see if an IP is in use, DR-OS does not. Grrr.

 

What I did was to modify the recovery.srd file to replace "-encrypt aes256" with "-encrypt none". The restore is now progressing. There are notes in the output that drive based encryption is being used.

 

I'll file a support request asking why my modification enabled the restore to run.

Thanks for your assistance, Sebastian.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.