Beruflich Dokumente
Kultur Dokumente
Applies to: All versions of NetBackup 5.1, 6.0 and 6.5 on platforms supporting
the media server encryption option.
Note: This is a living document and will be subject to periodic updates. Please
check the data and version number to ensure you are referencing the latest
version.
This document is provided for informational purposes only and is intended for distribution only by Symantec employees to selected
partners and customers. All warranties relating to the information in this document, either express or implied, are disclaimed to the
maximum extent allowed by law. The information in this document is subject to change without notice. Copyright © 2009 Symantec
Corporation. All rights reserved. Symantec, the Symantec logo and NetBackup are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
A guide to best practices for using the NetBackup Media Server Encryption Option
Table of Contents
1. Introduction ............................................................................................................................... 1
1.1. Introducing MSEO ........................................................................................................... 1
1.2. What Types of Encryption are Available?........................................................................ 2
1.3. Choosing an Encryption Strength .................................................................................... 2
2. MSEO Components & Architecture.......................................................................................... 3
2.1. Writing to Tape – Backup, Inline Copy, and Duplication ................................................. 3
2.1.1. MSEO Variables ........................................................................................................ 3
2.1.2. MSEO Policies ........................................................................................................... 4
2.2. Reading from Tape - Restore .......................................................................................... 5
3. Key Creation and Management ............................................................................................... 6
3.1. Key Primer ....................................................................................................................... 6
3.1.1. Where and How Different Encryption Methods are Used .......................................... 6
3.2. Managing RSA Key Pairs ................................................................................................ 7
3.3. Encrypting RSA Key Pairs ............................................................................................... 8
3.4. Sharing RSA Key Pairs Among Security Servers ........................................................... 8
4. Sample Configurations ....................................................................................................... 10
4.1. Small Configuration ....................................................................................................... 10
4.1.1. Small Configuration Data Points .............................................................................. 11
4.2. Medium Configuration.................................................................................................... 11
4.2.1. Medium Configuration Data Points .......................................................................... 12
4.3. Large Configuration ....................................................................................................... 12
4.3.1. Large Configuration Data Points .............................................................................. 13
5. Synchronizing MSEO installations ......................................................................................... 14
6. Data Classification.................................................................................................................. 15
7. Implementation ....................................................................................................................... 16
7.1. Performance Considerations ......................................................................................... 16
7.2. Virtual tape driver Configuration .................................................................................... 17
7.3. Default Tape Driver Configuration ................................................................................. 18
7.3.1. Solaris ...................................................................................................................... 18
7.3.2. Windows .................................................................................................................. 18
7.3.3. Linux......................................................................................................................... 18
7.4. Tape Library Partitioning ............................................................................................... 19
8. Protecting the MSEO Security Server .................................................................................... 25
9. Reporting ................................................................................................................................ 27
10. Appendix I - MSEO Policies................................................................................................ 31
10.1. Additional MSEO Policy Variables................................................................................. 32
10.2. Notes Regarding Duplication and Disk Staging ............................................................ 32
10.3. Configuring NetBackup Policies to use MSEO Compression and Encryption Services 34
11. Appendix II – Terminology .................................................................................................. 36
12. Appendix III - Configuring MSEO to Encrypt NetBackup Metadata ................................... 38
-i-
A guide to best practices for using the NetBackup Media Server Encryption Option
1. Introduction
The ability to encrypt data protected on removable media has been the focus of much attention
over recent months. Although simple in concept, many of the routine functions carried out in data
centers by IT staffers become increasingly challenging when data encryption is added as a
requirement. Among the concerns important to the data protection administrative staff when it
comes to encrypting removable media, the following bullet points routinely take center stage:
Will there be a significant performance impact to backup and restore processes?
Can I encrypt every type of data written to removable media?
Can I selectively decide what data gets encrypted, and what doesn’t?
Is key management an automatic or manual process?
How difficult is it to deploy a given solution?
Is it possible to generate comprehensive reports related to encrypted backups?
This paper sets out to answer these questions while providing recommendations and best
practices surrounding the NetBackup Media Server Encryption Option (MSEO).
-1-
A guide to best practices for using the NetBackup Media Server Encryption Option
-2-
A guide to best practices for using the NetBackup Media Server Encryption Option
NetBackup Master
Server
Media Server
MSEO Agent MSEO Security Server
PEM
-3-
A guide to best practices for using the NetBackup Media Server Encryption Option
NetBackup policy keyword phrase variables parsed from the backup header must be enclosed
within XML (eXtensible Markup Language) tags in order for the virtual tape driver to send them to
the MSEO Security Server for evaluation. The XML tag format requires that the keyword phrase
be prefixed with “<mseo>” and suffixed with “</mseo>”. The MSEO specific variables that can be
introduced typically include:
KeyGroup
KeyType
Compress
An example NetBackup policy keyword phrase might look like this:
<mseo> KeyGroup=Keys_01; KeyType=aes128; Compress=lzrw3; </mseo>
-4-
A guide to best practices for using the NetBackup Media Server Encryption Option
-5-
A guide to best practices for using the NetBackup Media Server Encryption Option
Encrypted
Backup
Backup Data
Data Encrypted with
BEK
When the MSEO Agent checks with the MSEO Security Server to determine if it can read a tape
archive and the MSEO Security Server grants permission, the MSEO Security Server performs
the following operations:
-6-
A guide to best practices for using the NetBackup Media Server Encryption Option
It locates one of the RSA private keys corresponding to the RSA public key(s) used to
encrypt the BEK
It decrypts the BEK using the RSA private key
It returns the decrypted BEK to the calling MSEO Agent
The BEK, along with the encryption and compression algorithms get passed to the Virtual tape
driver to restore the data.
-7-
A guide to best practices for using the NetBackup Media Server Encryption Option
Recovering encrypted data on a NetBackup media server, which uses a different MSEO
Security Server than the one initially involved in backing up the data, requires the MSEO
RSA key pairs used for encryption are available for recovery
Business partners or affiliates that have a requirement to share encrypted backup media
need to share their RSA public keys in order to be able to recover data encrypted at the
partner or affiliate site.
The number of RSA key pairs used is typically related to business requirements. For instance, in
the prior example where one business was sharing encrypted backup media with an affiliate, it
would probably require at least two unique RSA public keys. One RSA public key could be used
locally for encrypting backup media that was not meant to be shared. The second RSA public
key, sent by the affiliate could be used for encrypting backup media that was meant to be shared.
The first RSA private key would restore locally and would not be shared with the affiliate; the
second RSA private key at the affiliate site would be used to decrypt shared content.
-8-
A guide to best practices for using the NetBackup Media Server Encryption Option
Symantec recommendation: Best practice is to use the “cgadmin” export / import keys utility to
share keys between MSEO Security Servers.
-9-
A guide to best practices for using the NetBackup Media Server Encryption Option
4. Sample Configurations
Configuration activities are relatively straightforward. Configuration options are divided into the
following general categories:
Configuring the virtual tape driver for use with tape drive devices
Registering PEM hosts / media servers with the MSEO Security Server
Creating and managing encryption keys
Configuring MSEO policies
Configuring NetBackup Policies to use MSEO compression and encryption services
NetBackup
Master
Server
Security Key-pair1
Server
Media Server
VTD
PEM
- 10 -
A guide to best practices for using the NetBackup Media Server Encryption Option
The block diagram shown in Figure 7 denotes a small sample configuration where the NetBackup
master and media server functions are hosted on the same system. MSEO Security server and
MSEO Agent software is also installed on this system.
NetBackup
Master
Server
Media Server 1
VTD
Media Server 2
PEM VTD
PEM
- 11 -
A guide to best practices for using the NetBackup Media Server Encryption Option
The block diagram shown in Figure 8 denotes a medium sized sample configuration where the
NetBackup master server is hosted on one system, and two NetBackup media servers are hosted
on additional systems. MSEO Security server software is installed on the same system as the
NetBackup master server, and MSEO Agent software is installed on both NetBackup media
servers.
NetBackup NetBackup
Master Master
PubKEY3 PubKEY4 PubKEY1 PubKEY2
Server Server
Security Security
Server Server
Key-pair1 Key-pair2 Key-pair3 Key-pair4
VTD VTD
Media Server 2 Media Server 4
PEM VTD PEM VTD
PEM PEM
Site 1 Site 2
Figure 9: Large configuration
The block diagram shown in Figure 9 depicts a large sample configuration where two NetBackup
master servers are hosted on different systems, and four NetBackup media servers are hosted on
additional systems. MSEO Security server software is installed on the same systems as the
NetBackup master servers, and MSEO Agent software is installed on all four NetBackup media
servers.
- 12 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 13 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 14 -
A guide to best practices for using the NetBackup Media Server Encryption Option
6. Data Classification
Serious consideration should be given to the concept of data classification in conjunction with
deploying MSEO. Data classification involves a number of parameters that should likely be
considered in advance of simply deciding to encrypt all data written to removable tape media.
Among the parameters that may influence data classification are:
Is there a legal requirement that all data written to removable tape media be encrypted?
Local and national laws may govern exactly what data needs to be encrypted.
Understanding these laws may assist in properly classifying data into two general
categories; data that must be encrypted and data that does not need to be encrypted.
What encrypted data, if any, has to be shared with business partners and affiliates?
Classifying data as “internal use only” versus data that needs to be shared assists in
deciding what quantity of RSA key pairs are required.
Much like the concept of retaining all backups indefinitely, the concept of encrypting all data may
end up costing more in the long run. Data is generally classified and backups are retained based
on a service level assigned to the data classification. The result is reduced media consumption
and media storage costs. Likewise, encryption isn’t free, implying that further classification of data
may enable additional cost savings.
- 15 -
A guide to best practices for using the NetBackup Media Server Encryption Option
7. Implementation
Two important goals of successfully implementing MSEO include securing data on tape with
encryption and understanding any performance impact this may have on overall NetBackup
media server performance.
After classifying data to determine what backups require encryption, a cursory review of existing
NetBackup policies and storage units should be performed. The purpose of this review is to
determine if the backups requiring encryption can use a collection of NetBackup storage units
that have MSEO enabled. A review of NetBackup policies and storage units should result in a
basic understanding of the environment.
For instance, an example review yields these results:
1) The environment consists of 1 NetBackup media server with a single storage unit
2) The NetBackup storage unit has eight tape drives
3) 25% of the data being protected requires MSEO encryption services
4) None of the NetBackup policies used to protect the data requiring encryption services
include data that does not require encryption services
The results of the review indicate that it may be appropriate to configure MSEO such that it uses
two of the eight available tape drives. The existing NetBackup storage unit that contains eight
tape drives must be logically partitioned into two NetBackup storage units, the first with six tape
drives not configured to use MSEO, the second with two tape drives configured to use MSEO
encryption services.
In other situations, the review may yield results that aren’t quite as simple:
1) The environment consists of two NetBackup media servers with three storage units
2) The first NetBackup media server has two storage units, storage unit “A” has four tape
drives and storage unit “B” has six tape drives
3) The second NetBackup media server has a single storage unit with eight tape drives
4) 40% of the data being protected requires MSEO encryption services
5) The NetBackup policies used to protect the data requiring encryption use two storage
units, one on each media server
6) The NetBackup policies used to protect the data requiring encryption also include data
that does not require encryption
The results of the review reveal the following data points:
A) NetBackup policy reconfiguration should be considered so the policies utilizing MSEO
encryption services only include data that requires encryption
B) Assuming all eighteen tape drives are of the same type, it appears that seven of the tape
drives should likely be configured to use MSEO encryption services
Other reviews may yield results that are somewhat more extreme. For instance, a decision may
be made to simply encrypt all backups to tape media. In this case, the performance impact that
MSEO may have on overall media server performance could result in backups that don’t
complete within a given backup window.
- 16 -
A guide to best practices for using the NetBackup Media Server Encryption Option
However, when attempting to encrypt a lot of data, you can easily run into a CPU bottleneck if
you don’t carefully analyze the backup environment. It takes roughly 73 clock cycles on a
Windows or Linux server or about 87 clock cycles on UNIX server to perform MSEO
compression/encryption per BYTE of data backed up. Backing up 100 MB/sec of data through a
Solaris media server requires 8.7 GHz of CPU processing for MSEO alone, plus whatever
processing is needed for other tasks. To move 200 MB/sec through the media server would
require 17.4 GHz of CPU for MSEO. Adding HBAs to a media server to get additional throughput
doesn’t “just work” when software compression/encryption is used.
First, determine how much data must be backed up and the size of the backup window. That
determines the minimum sustained data rate (although it doesn’t take into account tape mounts
and load times, which must also be considered) to complete the backup within the backup
window. That data rate in GB/sec x 73 or 87 CPU cycles/byte determines the CPU GHz required
for MSEO compression/encryption.
The tape drive must also be considered. LTO2, LTO3 and LTO4 tape drives all have native
transfer rates as well as a minimum transfer rate, which is required to keep them streaming. For
example, an IBM LTO3 tape drive has a native transfer rate of 80 MB/sec, but requires at least 40
MB/sec to maintain streaming. If it doesn’t receive data at that minimum speed, the drive will
“shoeshine” as it must stop, rewind, reposition, and spin up to speed before the write operation
can begin again. This has a drastic impact of overall performance.
In addition, because MSEO performs compression, if the data can be compressed by 1/3 – a
1.5:1 compression ratio – the media server will need to process 60 MB/sec of data to provide
data to the tape drive at 40 MB/sec. On a UNIX system, that will require 5.2 GHz of processing
for MSEO to keep one IBM LTO3 drive streaming at its minimum rate. A four CPU/core system
with 1.2 GHz processors won’t be able to keep a single drive streaming. Given the drive is
capable of running at 120 MB/sec with 1.5:1 compression, even if the drive is able to be kept
streaming (say by using 1.4 GHz or 1.5 GHz processors), it is being used at only 50% efficiency
(60MB/sec vs.120 MB/sec).
In all likelihood, you will need to attach fewer tape drives to a MSEO media server in order to
make certain the drives stream, and/or you will need to add CPUs to existing media servers or
buy media servers with more processing power to be able to utilize the number of tape drives you
already have.
The greater the amount of data to be encrypted, the more likely you may face a performance
bottleneck based on media server processing power.
Because the number of CPU cycles per byte as noted above are estimates, it would be
worthwhile to run some tests by deploying one tape drive on a media server and determining the
maximum data rate that can be achieved. A second tape drive can be attached and the same test
run. You want to determine the maximum overall throughput for the media server and this will
occur when all drives can maintain streaming. Performance may be as good or better using only
one drive, which can run at its maximum rate, than using multiple tape drives.
Remember to consider how much additional data may need to be encrypted in the future as you
don’t necessarily want to realize later that to encrypt all your data within the backup window you
must purchase a number of additional and expensive media servers.
- 17 -
A guide to best practices for using the NetBackup Media Server Encryption Option
7.3.1. Solaris
The default Solaris installation does not configure any tape drives as MSEO devices. In addition,
when configuring MSEO devices, asynchronous mode is by default disabled. Asynchronous
mode should be enabled to properly gauge MSEO performance.
7.3.2. Windows
The default Windows installation configures all tape drives as MSEO devices. In addition, when
configuring MSEO devices, asynchronous mode is by default disabled. Asynchronous mode
should be enabled to properly gauge MSEO performance.
7.3.3. Linux
The default Linux installation does not configures any tape drives as MSEO devices. In addition,
when configuring MSEO devices, asynchronous mode is by default disabled. Asynchronous
mode should be enabled to properly gauge MSEO performance.
- 18 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 19 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 20 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 21 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 22 -
A guide to best practices for using the NetBackup Media Server Encryption Option
Because each of the two NetBackup storage units have a different density, tape media
corresponding to these different densities must be allocated. This is accomplished by introducing
new or scratch media to the library, and performing an inventory operation. The “Advanced
Options” button on the inventory dialog window allows newly imported media to be set to a
specific media type:
- 23 -
A guide to best practices for using the NetBackup Media Server Encryption Option
Continuing, the NetBackup policies that require MSEO encryption services are altered to use the
storage unit that has the MSEO tape drive:
- 24 -
A guide to best practices for using the NetBackup Media Server Encryption Option
Symantec recommendation: Best practice advice is to evaluate your site requirements and
implement the appropriate solution or solutions. If you do not use the export/import capability of
MSEO for backing up or moving keys, but attempt to only backup and restore the Security Server
data store, to either the same Security Server or a different one, the public/private keys will be
corrupted and you will NOT be able to restore any data backed up using these keys.
The procedure used to protect the MSEO Security Server data store as part of NetBackup
catalog backups differs depending on the version of NetBackup being used, and also on whether
hot or cold backups are being performed in the case of NetBackup 6.0. Relocating the MSEO
Security Server data store may have ramifications that impact upgrades and product installation
that are not currently understood.
NetBackup 6.0 offline, cold catalog backups
Reference the NetBackup System Administrator’s Guide section titled, “Offline, Cold
Catalog Backup Method”. The catalog files tab provides the ability to include additional
- 25 -
A guide to best practices for using the NetBackup Media Server Encryption Option
paths that will be protected when catalog backups are performed. Add an entry that
represents the MSEO Security Server data store path: “…/cgsb/server”.
NetBackup 6.0 online, hot catalog backups
Reference the NetBackup System Administrator’s Guide section titled, “Online, Hot
Catalog Backup Method”. The MSEO Security Server data store has to be relocated to
“…/NetBackup/db” for inclusion into a hot catalog backup policy. You must relocate the
MSEO Security Server data store to accommodate this requirement.
NetBackup 5.1 offline, cold catalog backups
Reference the NetBackup System Administrator’s Guide section titled, “Configuring
Catalog Backups”. The catalog files tab provides the ability to include additional paths
that will be protected when catalog backups are performed. Add an entry that represents
the MSEO Security Server data store path: “…/cgsb/server”.
- 26 -
A guide to best practices for using the NetBackup Media Server Encryption Option
9. Reporting
MSEO is transparent to NetBackup, so reports related to MSEO are not available as part of the
NetBackup graphical or command line user interfaces. However, there are other alternatives for
generating reports. One method to generate reports related to the compression and encryption
associated with MSEO is to access log files created using a MSEO audit template.
The content included in log-based reporting is controlled by means of a MSEO audit template.
Audit templates, used in concert with MSEO policies, enable the capturing of parameters used to
write or read tapes on a media server. The default output is defined in the “netbackup” audit
template XML document. This document is referenced by the standard “default” MSEO policy
XML document.
The following is an example of an unaltered “netbackup” XML audit policy:
- 27 -
A guide to best practices for using the NetBackup Media Server Encryption Option
MSEO audit logs enable the ability to confirm that MSEO is performing compression and
encryption operations as configured via the keyword phrase parameter in a NetBackup policy, or
as hard-coded in an MSEO policy.
Symantec recommendation: Any time a MSEO policy or NetBackup policy keyword phrase is
altered, check the MSEO audit logs to confirm that the desired actions are occurring.
- 28 -
A guide to best practices for using the NetBackup Media Server Encryption Option
Note: All audit template variables are prefixed with the characters “po.”
Audit Template Variables
Variable
Description
- 29 -
A guide to best practices for using the NetBackup Media Server Encryption Option
which would indicate encrypted backup jobs. If NetBackup Vault is being used, media to be sent
off-site is written to specific volume pools, so either Vault reports or NOM could be used to
generate a report of encrypted backups.
- 30 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 31 -
A guide to best practices for using the NetBackup Media Server Encryption Option
Symantec recommendation: Although the second rule can easily be altered so that by default,
compression and encryption are automatically applied during backups, best practice advice is
when no NetBackup policy keyword phrase is used, no compression or encryption should occur.
- 32 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 33 -
A guide to best practices for using the NetBackup Media Server Encryption Option
The following MSEO policy example has been constructed for use with the NetBackup Vault
option. Note that the NetBackup copy number must be equal to two, and that the NetBackup
volume pool number must be equal to two for the rule to evaluate to true:
Figure 27: MSEO policy for use with the NetBackup Vault option
NetBackup volume pool number two equates to the DataStore pool:
- 34 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 35 -
A guide to best practices for using the NetBackup Media Server Encryption Option
Table 2: Terminology
- 36 -
A guide to best practices for using the NetBackup Media Server Encryption Option
- 37 -
A guide to best practices for using the NetBackup Media Server Encryption Option
Symantec recommendation: Disaster recovery and other offsite facilities will be unable to perform
a phase 1 import and may be unable to locate specific backups in the event of mislabeling or loss
of inventory records if NetBackup metadata is encrypted. Best practice advice recommends
against using this feature unless specifically required by corporate policies.
- 38 -