Configuring encryption for MSDP backups

Two procedures exist to configure encryption during backups for MSDP, as follows:

Configure encryption on individual hosts running OST plug-in

Use this procedure to configure encryption on the MSDP hosts that are running OST plug-in.

The ENCRYPTION parameter in the MSDP pd.conf file controls encryption for that host. The parameter applies only to the host on which you modify the pd.conf, as follows:

See “To configure backup encryption on a single host”.

To have all data in MSDP server encrypted, you must change pd.conf parameter of all load-balancing media servers and client hosts. If you want to encrypt all data in the MSDP pool, do not use this method. Use the MSDP server configuration instead.

Using pd.conf to change MSDP encryption is deprecated. It is recommended that you use the server option instead.

Configure encryption for all backups to the MSDP server

Use this procedure to configure encryption to have all data to the MSDP server encrypted. If you use this procedure, you do not have to configure any hosts that send data to this MSDP server including NetBackup media server, servers in opt-dup, servers in AIR, and client direct hosts.

The ServerOptions parameter in the MSDP contentrouter.cfg file controls encryption for all hosts that send data to this MSDP server. This parameter supersedes the pd.conf file ENCRYPTION setting.

See “To configure backup encryption for all backups targeted to this MSDP pool”.

To configure backup encryption for all backups targeted to this MSDP pool

On the storage server, open the contentrouter.cfg file in a text editor; it resides in the following directory:
- (UNIX) storage_path/etc/puredisk
- (Windows) storage_path\etc\puredisk
Add encrypt to the ServerOptions line of the file. The following line is an example:
ServerOptions=fast,verify_data_read,encrypt
Encryption is enabled for all the data that is stored on the server, which includes the MSDP storage server, the MSDP load-balancing servers, and the NetBackup Client Direct deduplication clients.

To ensure that encryption occurs for all backups jobs, configure it on all MSDP hosts. MSDP hosts include the MSDP storage server, the MSDP load-balancing servers, and the NetBackup Client Direct deduplication clients.

See About MSDP encryption.

If you want to encrypt all data in the MSDP pool, do not use the following method due to its complexity. It is recommended that you use the server option instead.

To configure backup encryption on a single host

Use a text editor to open the pd.conf file on the host.
The pd.conf file resides in the following directories:
- (UNIX) /usr/openv/lib/ost-plugins/
- (Windows) install_path\Veritas\NetBackup\bin\ost-plugins
See MSDP pd.conf file parameters.
For the line that begins with #ENCRYPTION, remove the pound sign (or hash sign, #) in column 1.
In that same line, replace the 0 (zero) with a 1.
Note:
The spaces to the left and right of the equal sign (=) in the file are significant. Ensure that the space characters appear in the file after you edit the file.
On the client-side deduplication clients and on the MSDP load-balancing servers, ensure that the LOCAL_SETTINGS parameter in the pd.conf file is set to 1. Doing so ensures that the setting on the current host has precedence over the server setting.
Save and close the file.
If the host is the storage server or a load-balancing server, restart the NetBackup Remote Manager and Monitor Service (nbrmms) on the host.

Configuring encryption for MSDP backups

Feedback

Feedback