About the Encryption Crawler
The Encryption Crawler searches all MSDP pools to check from unencrypted data. It traverses all the existing data containers and if a data segment is not encrypted, that segment is encrypted with AES-256-CTR algorithm. The Encryption Crawler encrypts the encryption keys of any data segments the KMS automatic conversion process has not processed if KMS is enabled. The KMS automatic conversion process encrypts the encryption keys of all the existing encrypted data.
Several conditions may lead to an MSDP pool having unencrypted data segments even though the user intends to encrypt all data:
Encryption is not enabled when the pool is configured. Encryption is only enabled after backup data is ingested into the pool.
The encrypt keyword is not added to the ServerOptions option in
contentrouter.cfgof the MSDP. In this case, encryption is not enabled for allpd.confthat may exist on the MSDP host, load-balancing media servers, build-your-own (BYO) servers, and NetBackup Client Direct.
Late backups may reference the unencrypted data and may not go away when the old images expire. The Encryption Crawler is used to encrypt all the existing data residing in an MSDP pool which was not previously encrypted.
The Encryption Crawler requires that encryption is properly configured. The encrypt keyword is required to be added to the ServerOptions option in contentrouter.cfg for the MSDP pool. If an Instant Access or Universal Share is configured, Encryption Crawler requires that encryption is enabled for VpFS. Additionally, you must create all the checkpoints for all the existing VpFS shares after encryption is enabled. If the environments are upgraded from a release before NetBackup 8.1, the Encryption Crawler requires all rolling data conversion processes finish.