Ciphers used in NetBackup
This section lists the ciphers that are used in NetBackup.
NetBackup typically does not use local accounts. Instead, accounts that are defined on the local OS or an external identity provider (SAML, AD, or LDAP) are used.
Table: Ciphers used in NetBackup for web API and web UI access (port 443 and 1556)
Product version | TLS version | Enabled ciphers |
|---|---|---|
NetBackup 10.0 to 10.3 | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
NetBackup 10.4 and later | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
TLSv1.3 | TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 |
Table: Ciphers used in NetBackup for MQbroker (port 13781)
Product version | TLS version | Enabled ciphers |
|---|---|---|
NetBackup 10.0 to 10.5 | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
NetBackup 10.5.0.1 and 11.0 (when FIPS mode is disabled) | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
TLSv1.3 | TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 | |
NetBackup 10.5.0.1 and 11.0 (when FIPS mode is enabled) | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
TLSv1.3 | TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 |
Table: Ciphers used for communication between NetBackup hosts
Product version | TLS version | Enabled ciphers |
|---|---|---|
NetBackup 10.0 to 10.4 | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
NetBackup 10.5 and 11.0 (when FIPS mode is disabled) | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
TLSv1.3 | TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 | |
NetBackup 10.5 and 11.0 (when FIPS mode is enabled) | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 |
TLSv1.3 | TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 |
If configured, NetBackup uses Openldap to connect directly to LDAP or AD servers. Both LDAP and LDAPS (LDAP over TLS) are supported. The ciphers supported are listed in the following table. The actual cipher chosen for the connection is determined by the configuration of the AD/LDAP server.
Table: Ciphers used in NetBackup for communication with AD/LDAP servers
Product version | TLS version | Enabled ciphers |
|---|---|---|
NetBackup 10.4 | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA |
NetBackup 10.5 and later (when FIPS mode is disabled) | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA |
TLSv1.3 | TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 | |
NetBackup 10.5 and later (when FIPS mode is enabled) | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA |
TLSv1.3 | TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 |
Table: Ciphers used in NetBackup for data at rest encryption
Product version | Hardware or software-based encryption | Ciphers |
|---|---|---|
NetBackup 10.x and 11.0 | Software based except for tape drive encryption | MSDP: AES-256-CTR |
Legacy cloud connector and Advanced Disk Crypt: AES-256-CFB | ||
Client encryption (selected by customer): AES-128-CFB (default) AES-256-CFB | ||
Tape drive encryption (hardware-based): AES-256 |