Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ Deduplication Guide
  5. Configuring deduplication
  7. Configuring encryption for MSDP backups
Veritas NetBackup™ Deduplication Guide

Configuring encryption for MSDP backups

Two procedures exist to configure encryption during backups for MSDP, as follows:

Configure encryption on individual hosts

Use this procedure to configure encryption on individual MSDP hosts.

The ENCRYPTION parameter in the MSDP pd.conf file controls encryption for that host. The parameter applies only to the host on which you modify the pd.conf, as follows:

See “To configure backup encryption on a single host”.

Configure encryption for all Client Direct clients

Use this procedure to configure encryption for all of your clients that deduplicate their own data (that is, client-side deduplication). If you use this procedure, you do not have to configure each client-side deduplication client individually.

The ServerOptions parameter in the MSDP contentrouter.cfg file controls encryption for all client-side deduplication clients. This parameter supersedes the pd.conf file ENCRYPTION setting on client-side deduplication hosts.

See “To configure backup encryption on all client-side deduplication clients”.

To ensure that encryption occurs for all backups jobs, configure it on all MSDP hosts. MSDP hosts include the MSDP storage server, the MSDP load balancing servers, and the NetBackup Client Direct deduplication clients.

See About MSDP encryption.

To configure backup encryption on a single host

  1. Use a text editor to open the pd.conf file on the host.

    The pd.conf file resides in the following directories:

    • (UNIX) /usr/openv/lib/ost-plugins/

    • (Windows) install_path\Veritas\NetBackup\bin\ost-plugins

    See MSDP pd.conf file parameters.

  2. For the line that begins with #ENCRYPTION, remove the pound sign ( or hash sign, #) in column 1.
  3. In that same line, replace the 0 (zero) with a 1.

    Note:

    The spaces to the left and right of the equal sign (=) in the file are significant. Ensure that the space characters appear in the file after you edit the file.

  4. On the client-side deduplication clients and on the MSDP load balancing servers, ensure that the LOCAL_SETTINGS parameter in the pd.conf file is set to 1. Doing so ensures that the setting on the current host has precedence over the server setting.
  5. Save and close the file.
  6. If the host is the storage server or a load balancing server, restart the NetBackup Remote Manager and Monitor Service (nbrmms) on the host.

To configure backup encryption on all client-side deduplication clients

  1. On the storage server, open the contentrouter.cfg file in a text editor; it resides in the following directory:

    • (UNIX) storage_path/etc/puredisk

    • (Windows) storage_path\etc\puredisk

  2. Add encrypt to the ServerOptions line of the file. The following line is an example:

    ServerOptions=fast,verify_data_read,encrypt

Feedback

Was this page helpful?
Previous

MSDP compression and encryption settings matrix

Next

Configuring encryption for MSDP optimized duplication and replication

Feedback

Was this page helpful?