Checking the image encryption status

Use msdpimgutil encryptionreport command-line utility to check the MSDP pool encryption status or image encryption status on the storage server.

This command-line utility does the following:

Reports the MSDP pool encryption status.
It lists the data encryption setting and KMS encryption setting for all LSUs.
Reports the image data encryption status for the given image.
Reports the image KMS encryption status for the given image.
Provides KMS key IDs used for the given encrypted image.
Provides the unencrypted data container IDs.
If encryption is disabled, provides encryption protection guidance.

msdpimgutil encryptionreport command-line utility is located at the following locations:

UNIX: /usr/openv/pdde/pdcr/bin/msdpimgutil
Windows: install_path\Veritas\pdde\msdpimgutil.exe

To check the image encryption status

Run the following command to check the MSDP pool encryption status. It lists data encryption setting and KMS encryption settings for all LSUs.

msdpimgutil encryptionreport --systemcheck

For example,

msdpimgutil encryptionreport --systemcheck
==== Dedup system encryption check ====
Found Local LSU
      LSU's Data encryption setting is enabled.
      LSU's KMS encryption setting is enabled.

Found Cloud LSU aws_vraxmyan9148
      LSU's Data encryption setting is disabled.
      LSU's KMS encryption setting is disabled.

Found Cloud LSU aws2_vraxmyan9148
      LSU's Data encryption setting is enabled.
      LSU's KMS encryption setting is enabled.

** Follow the NetBackup Deduplication Guide to enable Data/KMS encryption (contentrouter.cfg).

** Encryption Crawler:
   Encryption Crawler is unavailable for WORM Deduplication pools or data stored on Cloud Tier.

Check the encryption settings of the image in the MSDP pool.
It reports the image data encryption status, image KMS encryption status, KMS key IDs, and the unencrypted data container IDs used for the given image. If encryption is disabled, provides encryption protection guidance.
msdpimgutil encryptionreport --backupid <backup id> --copy <copy number> [--verbose | -v]
--backupid: Backup ID of the image.
--copy: Copy number of the image.
--verbose or -v: Verbose is used to output KMS key IDs for the KMS encrypted image or the data containers IDs for the unencrypted image.
Note:
This command may run for a long time if the image consumes a large number of data containers.
For example,
```
msdpimgutil encryptionreport --backupid backupid --copy 1 --verbose
==== Dedup system encryption check ====
Found Local LSU
      LSU's Data encryption setting is enabled.
      LSU's KMS encryption setting is enabled.

==== Dedup image encryption check ====
Found image (2|/client/policy|backupid_C1) in Local LSU.
      Image Data encryption setting is enabled.
      Image KMS encryption setting is enabled.

      Image data segments are found in 16 data containers, 16 data containers are KMS encrypted.

      The following unique KeyID is needed for image recovery.
      KeyID: 87f49487cd13e9d30c4891e146721354f53f26b82945a8b23eb859a0b8416929
```

Checking the image encryption status

Feedback

Feedback