Additional encryption methods for Windows clients
In addition to NetBackup client and server data encryption, Microsoft Windows clients also have access to methods of encrypting the data on the original disk.
Each of the following methods has its own costs and benefits. NetBackup supports each method for protecting Microsoft Windows clients.
The Encrypting File System (EFS) on Microsoft Windows provides file system-level encryption. EFS is a form of encryption where individual files or directories are encrypted by the file system itself.
The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer. Users can enable encryption on a per-file, per-directory, or per-drive basis. The Group Policy in a Windows domain environment can also mandate some EFS settings.
No NetBackup settings are involved in protecting these encrypted objects. Any object with an encrypted file system attribute is automatically backed up and restored in its encrypted state.
BitLocker Drive Encryption is a full disk encryption feature included with Microsoft's Windows desktop and server versions.
Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or a disk volume.
As with EFS, no NetBackup settings are involved to use BitLocker for encryption. Unlike EFS, the encryption layer is invisible to NetBackup, with the data being automatically decrypted and encrypted by the operating system.
NetBackup does nothing to manage the encryption process and therefore backs up and restores the unencrypted data.
Note:
If you recover a Windows computer that has BitLocker encryption enabled, you must re-enable BitLocker encryption following the restore.
Off-host backup is not supported with volumes that run Windows BitLocker Drive Encryption.