Setting a passphrase to encrypt disaster recovery packages
During each catalog backup, a disaster recovery package is created and encrypted with the passphrase that you set.
See Disaster recovery packages.
Review the following workflow to learn about disaster recovery package restore:
Set an encryption passphrase for disaster recovery packages.
Create a catalog policy.
Consider the following scenarios:
If you have not set the passphrase earlier, NetBackup prevents you from configuring a new catalog backup policy.
If the catalog backup policy is upgraded from a previous version, catalog backups continue to fail until the passphrase is set.
Note:
Catalog backups may fail with status code 144 even though the passphrase is set. This issue occurs because the passphrase may be corrupted. To resolve this issue, you must reset the passphrase.
After a disaster, when you install NetBackup on the primary server in a disaster recovery mode, provide the passphrase that you have set earlier. NetBackup decrypts the disaster recovery package using this passphrase and gets the identity of the primary server back during installation.
Caution:
Special action is required if you fail to provide the appropriate passphrase when you install NetBackup on the primary server after a disaster. You may need to redeploy the security certificates on all NetBackup hosts. For more details, refer to the following article:
https://www.veritas.com/content/support/en_US/article.100033743
Once the primary server identity is back in place, the secure communication between the primary server and the media server is established and you can perform catalog recovery.
After successful catalog recovery, you must set the disaster recovery package passphrase again, because the passphrase is not recovered during the catalog recovery. Catalog backups that you configure in a new NetBackup instance continue to fail until you set the passphrase.
To set or modify a passphrase
- Open the NetBackup web UI.
- At the top right, select Settings > Global security.
- Select Disaster recovery.
- Enter and confirm a passphrase.
Review the following password rules:
The existing passphrase and the new passphrase must be different.
By default, the passphrase must contain a minimum of 8 and a maximum of 1024 characters.
You can set the passphrase constraints using the nbseccmd -setpassphraseconstraints command option.
Only the following characters are supported for the passphrase: White spaces, uppercase characters (A to Z), lowercase characters (a to z), numbers (0 to 9), and special characters. Special characters include: ~ ! @ # $ % ^ & * ( ) _ + - = ` { } [ ] | : ; ' , . / ? < > "
Caution:
If you enter a character that is not supported, you may face problems during disaster recovery package restore. The passphrase may not be validated and you may not be able to restore the disaster recovery package.
- Select Save. If the passphrase already exists, it is overwritten.
To set or modify a passphrase using the command-line interface
- The NetBackup administrator must be logged on to the NetBackup Web Management Service to perform this task. Use the following command to log on:
bpnbat -login -loginType WEB
- Run the following command to set a passphrase to encrypt disaster recovery packages:
nbseccmd -drpkgpassphrase
- Enter the passphrase.
If a passphrase already exists, it is overwritten.