About NetBackup encryption options — NetBackup 11.1 | Cohesity Documentation

Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist

About NetBackup encryption options — NetBackup 11.1 | Cohesity Documentation

About NetBackup encryption options

NetBackup provides several methods for encrypting backups, as described in the following table.

Table: NetBackup encryption options

Option	Description
Client encryption	The NetBackup client encryption option is a software-based solution that encrypts the data on the client. The data is encrypted in transit and at rest. Each client manages its own encryption keys. To enable client encryption, select the backup policy Encryption attribute. See Encryption (policy attribute).
Tape drive encryption	With hardware-based tape drive encryption, an encrypting tape drive encrypts the data. The data is encrypted at rest only. A Key Management Service (KMS) server that is configured on the primary server manages encryption keys. It can either be NetBackup KMS (NBKMS) or external KMS. See the "Data at rest key management" chapter in the NetBackup Security and Encryption Guide. One method to manage the volumes for hardware-based tape encryption is to use a reserved prefix on the volume pool name. The storage device must have encrypting tape drives. The storage unit must specify the storage device that has the encrypting tape drives. The backup policy must specify the correct storage unit and volume pool. See About reserved volume pool name prefixes.
AdvancedDisk encryption	A plug-in in the NetBackup OpenStorage stack encrypts the data. The data is encrypted at rest only. A Key Management Service (KMS) server that is configured on the primary server manages encryption keys. It can either be NetBackup KMS (NBKMS) or external KMS. See the NetBackup AdvancedDisk Storage Solutions Guide.
Cloud storage encryption	A plug-in in the NetBackup OpenStorage stack encrypts the data. The data is encrypted at rest only (by default, NetBackup uses SSL for read and write operations). A Key Management Service (KMS) server that is configured on the primary server manages encryption keys. It can either be NetBackup KMS (NBKMS) or external KMS. See the NetBackup Cloud Administrator's Guide.
Media Server Deduplication Pool encryption	The MSDP deduplication plug-in encrypts the data. The data can be encrypted in transit and at rest or at rest only. The NetBackup deduplication plug-in manages the encryption keys. See the NetBackup Deduplication Guide.

Feedback

Was this page helpful?

Feedback

Was this page helpful?