Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section III. Encryption of data at rest
  7. Data at rest encryption security
  9. About NetBackup client encryption
  11. About running an encryption backup
  13. Standard encryption backup process
NetBackup™ Security and Encryption Guide

Standard encryption backup process

The prerequisites for encrypting a standard backup are as follows:

  • Note:

    In NetBackup 7.5 and later versions, the encryption software is automatically installed with the NetBackup UNIX server and client installations.

    A key file must exist. The key file is created when you run the bpkeyutil command from the server or from the client.

  • The Encryption attribute must be selected on the NetBackup policy that includes the client.

If the prerequisites are met, the backup takes place as follows:

  • The client takes the latest key from the key file.

    For each file that is backed up, the following occurs:

    • The client creates an encryption tar header. The tar header contains a checksum of the key and the cipher that NetBackup used for encryption.

    • To write the file data that was encrypted with the key, the client uses the cipher that the CRYPT_CIPHER configuration entry defines. (The default cipher is AES-128-CFB.)

    Note:

    Only file data is encrypted. File names and attributes are not encrypted.

  • The backup image on the server includes a flag that indicates whether the backup was encrypted.

Feedback

Was this page helpful?
Previous

About choosing encryption for a backup

Next

Legacy encryption backup process

Feedback

Was this page helpful?