Standard encryption backup process

The prerequisites for encrypting a standard backup are as follows:

The encryption software is automatically installed with the NetBackup UNIX or Linux server and client installations.
A key file must exist. The key file is created when you run the bpkeyutil command from the server or from the client.
The Encryption attribute must be selected on the NetBackup policy that includes the client.

If the prerequisites are met, the backup takes place as follows:

The client takes the latest key from the key file.
For each file that is backed up, the following occurs:
- The client creates an encryption tar header. The tar header contains a checksum of the key and the cipher that NetBackup used for encryption.
- To write the file data that was encrypted with the key, the client uses the cipher that the CRYPT_CIPHER configuration entry defines. (The default cipher is AES-128-CFB.)
Note:
Only file data is encrypted. File names and attributes are not encrypted.
The backup image on the server includes a flag that indicates whether the backup was encrypted.