Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section III. Encryption of data at rest
  7. Data at rest encryption security
  9. Configuring legacy encryption on clients
  11. About configuring legacy encryption from the server
  13. About pushing the legacy encryption configuration to clients
NetBackup™ Security and Encryption Guide

About pushing the legacy encryption configuration to clients

You can use the -crypt_option and -crypt_strength options on the bpinst command to set encryption-related configuration on NetBackup clients as follows:

  • The -crypt_option option specifies whether the client should deny encrypted backups (denied), allow encrypted backups (allowed), or require encrypted backups (required).

  • The -crypt_strength option specifies the DES key length (40 or 56) that the client should use for encrypted backups.

To install the encryption client software and require encrypted backups with a 56-bit DES key, use the following command from the server:

bpinst -LEGACY_CRYPT -crypt_option required -crypt_strength des_56 \ 
-policy_names policy1 policy2

The example uses a UNIX continuation character (\) because it is long. To allow either encrypted or non-encrypted backups with a 40-bit DES key, use the following command:

bpinst -LEGACY_CRYPT -crypt_option allowed -crypt_strength des_40 \ 
client1 client2

In clustered environments you can do the following:

  • Push the configuration to the client only from the active node.

  • Specify the host names of the individual nodes (not the virtual names) in the list of clients.

Note:

The master server USE_VXSS setting in bp.conf should be set to AUTOMATIC. Use this setting when pushing from an NBAC enabled master to a host that does not have NetBackup previously installed. Also use this setting when NBAC has not enabled the master server'sUSE_VXSS setting in bp.conf.

Feedback

Was this page helpful?
Previous

About configuring legacy encryption from the server

Next

About pushing the legacy encryption pass phrases to clients

Feedback

Was this page helpful?