Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section II. Encryption of data-in-transit
  4. Configuring data-in-transit encryption (DTE)
  5. Configure the global data-in-transit encryption setting
NetBackup™ Security and Encryption Guide

Configure the global data-in-transit encryption setting

To configure the data-in-transit encryption (DTE) in your NetBackup environment, you need to first set the global DTE configuration setting (or global DTE mode) and then the client DTE mode.

Data-in-transit encryption decision for various NetBackup operations is carried out based on the global DTE mode, the client DTE mode, and the image DTE mode.

The supported values for the global DTE mode are as follows:

  • Preferred Off: Specifies that the data-in-transit encryption is disabled in the NetBackup domain. This setting can be overridden by the NetBackup client setting.

  • Preferred On: Specifies that the data-in-transit encryption is enabled only for NetBackup 9.1 and later clients.

    In case of fresh NetBackup installation, the global DTE mode is set to Preferred On by default.

    In case of NetBackup upgrade, the previous setting is retained.

    This setting can be overridden by the NetBackup client setting.

  • Enforced: Specifies that the data-in-transit encryption is enforced if the NetBackup client setting is either 'Automatic' or 'On'. With this option selected, jobs fail for the NetBackup clients that have the data-in-transit encryption set to 'Off' and for the hosts earlier than 9.1.

Note:

By default, the DTE mode for 9.1 clients is set to Off and for 10.0 and later clients, it is set to Automatic.

See DTE_CLIENT_MODE for clients.

RESTful API to be used for the global DTE configuration:

  • GET - /security/properties

  • POST - /security/properties

To set or view the global DTE mode using the NetBackup web UI

  1. Sign in to the NetBackup web UI.
  2. At the top right, select Security > Global security.
  3. On the Secure communication tab, select one of the following global DTE settings:
    • Preferred Off

    • Preferred On

    • Enforced

To set and view the global DTE mode using the command-line interface

  1. Run the following command to set the global DTE mode:

    nbseccmd -setsecurityconfig -dteglobalmode 0|1|2

    Where the value 0 represents Preferred Off, 1 represents Preferred On, and 2 represents Enforced.

  2. Run the following command to view the value that is set for the global DTE mode:

    nbseccmd -getsecurityconfig -dteglobalmode

Feedback

Was this page helpful?
Previous

Workflow to configure data-in-transit encryption

Next

Configure the DTE mode on a client

Feedback

Was this page helpful?