MSDP backup, restore, and optimized duplication
Data-in-transit encryption (DTE) feature is now integrated with MSDP storage server for backup and restore workflows.
For backup on MSDP disk pool, the encryption of data path from client to media server is controlled by the NetBackup DTE settings (global and client DTE modes).
If the MSDP storage server has multiple load balancing media servers attached to it and if the selected media server is 10.0.0.1 or later, the storage server must be 10.0.0.1 or later. Else, backup job fails. You must upgrade the 10.0 storage server to 10.0.0.1. If the load balancing media server is 10.0 or earlier, the data may be transferred in plain text and job is always successful, even if DTE was to be honored.
Ideally, you must have load balancing media servers and storage servers with 10.0.0.1 or later when DTE is enabled.
These given conditions are also valid for the optimized duplication workflow.
In case of mixed environment, where either storage server or one of the load balancing media servers is earlier than 10.0, the following configuration will be required in order to honor an end-to-end encryption:
DTE should be enabled from NetBackup side based on DTE configurations i.e. Global/Media Server/Client Settings
Encryption should be enabled from MSDP side using ENCRYPTION flag in pd.conf
See the NetBackup Deduplication Guide for details on enabling the encryption using MSDP.
Note:
If data-in-transit encryption is enabled in NetBackup and the ENCRYPTION flag in pd.conf is also enabled, MSDP encryption takes the precedence over NetBackup DTE. It results into data-at-rest encryption and not in data-in-transit encryption.