Additional legacy key file security for UNIX clients
This topic applies only to UNIX NetBackup clients. The additional security is not available for Windows clients.
The key file for an encryption client is encrypted using a DES key that is generated from a key file pass phrase. By default, the key file is encrypted using a DES key that is generated from the standard pass phrase that is hard-coded into NetBackup.
Using the standard key file pass phrase lets you perform automated encrypted backups and restores the same way you perform non-encrypted backups and restores.
This method has potential problems, however, if an unauthorized person gains access to your client's key file. That person may be able to figure out what encryption keys you use for backups or use the key file to restore your client's encrypted backups. For this reason, you must ensure that only the administrator of the client has access to the key file.
For extra protection, you can use your own key file pass phrase to generate the DES key to encrypt the key file. An unauthorized person may still gain access to this key file, but the restore is more difficult.
If you use your own key file pass phrase, backup, and restore are no longer as automated as before. Following is a description of what happens on a UNIX NetBackup client if you have used your own key file pass phrase.
To start a backup or restore on a client, the NetBackup server connects to the bpcd daemon on the client and makes a request.
To perform an encrypted backup or restore, bpcd needs to decrypt and read the key file.
If the standard key file pass phrase is used, bpcd can decrypt the key file automatically.
If you use your own key file pass phrase, bpcd can no longer decrypt the key file automatically, and the default bpcd cannot be used. You must initiate bpcd with a special parameter. See Running the bpcd -keyfile command.