Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. Configuring data-in-transit encryption (DTE)
  9. How DTE configuration settings work in various NetBackup operations
  11. Catalog backup and recovery
NetBackup™ Security and Encryption Guide

Catalog backup and recovery

Media server should be of the same NetBackup version as the primary server for catalog backup and recovery workflow.

Review the following points:

  • DTE mode for catalog backup jobs is similar to the file system workflow and DTE decision is similar to the backup workflow described above.

  • DTE mode in catalog backup jobs:

    • Parent catalog backup job does not have DTE mode set.

    • Database staging child job does not have DTE mode set.

    • Other two child jobs have DTE mode set as per the configured DTE settings.

  • DTE mode in catalog recovery jobs:

    • First 2 jobs have the DTE mode set as per the following tables depending on the image DTE mode.

    • The first two jobs replace the global DTE setting and primary server's bp.conf values, so the 3rd job DTE mode is set as per the recovered global DTE setting and primary server's bp.conf values.

The image DTE mode is Off

Table: When the image DTE mode is Off and the media server DTE setting is On

Global DTE mode

NetBackup Primary server 9.1 and later with DTE mode

On

Off

Automatic

Preferred Off

Data is encrypted

Data is not encrypted

Data is not encrypted

Preferred On

Data is encrypted

Data is not encrypted

Data is encrypted

Enforced

Data is encrypted

Data is encrypted

Data is encrypted

Note:

When the global DTE setting is set to ENFORCED and the DTE_CLIENT_MODE is Off, DTE is preferred over failure in case of catalog recovery.

Table: When the image DTE mode is Off and the media server DTE setting is Off

Global DTE mode

NetBackup Primary server 9.1 and later with DTE mode

On

Off

Automatic

Preferred Off

Data is encrypted *

Data is not encrypted

Data is not encrypted

Preferred On

Data is encrypted *

Data is not encrypted

Data is not encrypted

Enforced

Data is encrypted *

Data is encrypted *

Data is encrypted *

* signifies that DTE is preferred over failure during catalog recovery. It ignores the DTE setting on the media server, that is Off unless the client DTE mode is set to Automatic.

The image DTE mode is On

Table: When the image DTE mode is On and the media server DTE setting is On

Global DTE mode

Host

Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default)

WHERE_UNSUPPORTED

ALWAYS

Preferred Off

Primary server with DTE_CLIENT_MODE as ON

Data is encrypted

Data is encrypted

Data is encrypted

Primary server with DTE_CLIENT_MODE as OFF

Data is encrypted

Data is encrypted

Data is not encrypted

Primary server with DTE_CLIENT_MODE as AUTOMATIC

Data is encrypted

Data is encrypted

Data is not encrypted

Preferred On

Primary server with DTE_CLIENT_MODE as ON

Data is encrypted

Data is encrypted

Data is encrypted

Primary server with DTE_CLIENT_MODE as OFF

Data is encrypted

Data is encrypted

Data is not encrypted

Primary server with DTE_CLIENT_MODE as AUTOMATIC

Data is encrypted

Data is encrypted

Data is encrypted

Enforced

Primary server with DTE_CLIENT_MODE as ON

Data is encrypted

Data is encrypted

Data is encrypted

Primary server with DTE_CLIENT_MODE as OFF

Data is encrypted

Data is encrypted

Data is encrypted

Primary server with DTE_CLIENT_MODE as AUTOMATIC

Data is encrypted

Data is encrypted

Data is encrypted

Note:

If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the table - Table: When the image DTE mode is Off and the media server DTE setting is On.

Table: When the image DTE mode is On and the media server DTE setting is Off

Global DTE mode

Host

Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default)

WHERE_UNSUPPORTED

ALWAYS

Preferred Off

Primary server with DTE_CLIENT_MODE as ON

Data is encrypted *

Data is encrypted *

Data is encrypted *

Primary server with DTE_CLIENT_MODE as OFF

Data is encrypted *

Data is encrypted *

Data is not encrypted

Primary server with DTE_CLIENT_MODE as AUTOMATIC

Data is encrypted *

Data is encrypted *

Data is not encrypted

Preferred On

Primary server with DTE_CLIENT_MODE as ON

Data is encrypted *

Data is encrypted *

Data is encrypted *

Primary server with DTE_CLIENT_MODE as OFF

Data is encrypted *

Data is encrypted *

Data is not encrypted

Primary server with DTE_CLIENT_MODE as AUTOMATIC

Data is encrypted *

Data is encrypted *

Data is not encrypted

Enforced

Primary server with DTE_CLIENT_MODE as ON

Data is encrypted *

Data is encrypted *

Data is encrypted *

Primary server with DTE_CLIENT_MODE as OFF

Data is encrypted *

Data is encrypted *

Data is encrypted

Primary server with DTE_CLIENT_MODE as AUTOMATIC

Data is encrypted *

Data is encrypted *

Data is encrypted *

* signifies that DTE is preferred over failure during catalog recovery. It ignores the DTE setting on the media server, that is Off unless the client DTE mode is set to Automatic.

Feedback

Was this page helpful?
Previous

Universal-Share policy backup

Next

Duplication

Feedback

Was this page helpful?