Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. Configuring data-in-transit encryption (DTE)
  9. How DTE configuration settings work in various NetBackup operations
  11. Replication
NetBackup™ Security and Encryption Guide

Replication

If the MSDP storage server is used for replication, the following considerations need to be reviewed:

  • The Data-in-transit (DTE) encryption feature is not integrated with MSDP storage for replication workflows and it is controlled by the OPTDUP_ENCRYPTION flag in pd.conf.

  • The job DTE mode depends on the image DTE mode or the global DTE setting of the source domain.

  • The correct values must be set for the DTE configuration settings and the OPTDUP_ENCRYPTION flag for the source and target domains.

For details on enabling encryption using MSDP, see the NetBackup Deduplication Guide.

Table: The image DTE mode is Off

Global DTE mode

Media server 9.1 or later with DTE mode

Media server earlier than 9.1

On

Off

Preferred Off

Data is not encrypted

Data is not encrypted

Data is not encrypted

Preferred On

Data is encrypted

Data is not encrypted

Data is encrypted

Enforced

Data is encrypted

Operation fails

Data is encrypted

Table: When the image DTE mode is On and media server DTE setting is On

Global DTE mode

Host

Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default)

WHERE_UNSUPPORTED

ALWAYS

Preferred Off

NetBackup media server 9.1 or later

Data is encrypted

Data is encrypted

Data is not encrypted

NetBackup media server earlier than 9.1

Data is encrypted

Data is encrypted

Data is not encrypted

Preferred On

NetBackup media server 9.1 or later

Data is encrypted

Data is encrypted

Data is encrypted

NetBackup media server earlier than 9.1

Data is encrypted

Data is encrypted

Data is encrypted

Enforced

NetBackup media server 9.1 or later

Data is encrypted

Data is encrypted

Data is encrypted

NetBackup media server earlier than 9.1

Data is encrypted

Data is encrypted

Data is encrypted

Note:

If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the table - Table: The image DTE mode is Off.

Table: When the image DTE mode is On and the media server DTE setting on 10.0 or later is Off

Global DTE mode

Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default)

WHERE_UNSUPPORTED

ALWAYS

Preferred Off

Operation fails

Operation fails

Data is not encrypted

Preferred On

Operation fails

Operation fails

Data is not encrypted

Enforced

Operation fails

Operation fails

Operation fails

Note:

If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the table - Table: The image DTE mode is Off.

Feedback

Was this page helpful?
Previous

Import

Next

External CA and external certificates

Feedback

Was this page helpful?