Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ Deduplication Guide
  5. Configuring deduplication
  7. About MSDP encryption
Veritas NetBackup™ Deduplication Guide

About MSDP encryption

NetBackup provides encryption for the deduplicated data. It is separate from and different than NetBackup policy-based encryption. By default, MSDP encryption is disabled.

Table: MSDP encryption options describes the encryption options.

A different topic describes the interaction of the encryption and the compression settings for MSDP.

See MSDP compression and encryption settings matrix.

Table: MSDP encryption options

Option

Description

Backup encryption

For backups, the deduplication plug-in encrypts the data after it is deduplicated. The data remains encrypted during transfer from the plug-in to the NetBackup Deduplication Engine on the storage server. The Deduplication Engine writes the encrypted data to the storage. For restore jobs, the process functions in the reverse direction.

The MSDP pd.conf file ENCRYPTION parameter controls backup encryption for individual hosts. By default, backup encryption is disabled on all MSDP hosts. If you want backup encryption, you must enable it on the following MSDP hosts:

  • The clients that deduplicate their own data (that is, client-side deduplication).

  • The MSDP load balancing servers.

  • The MSDP storage server.

See Configuring encryption for MSDP backups.

Note:

Do not enable backup encryption by selecting the Encryption option on the Attributes tab of the Policy dialog box. If you do, NetBackup encrypts the data before it reaches the plug-in that deduplicates it. Consequently, deduplication rates are very low. Also, NetBackup does not use the Deduplication Multi-Threaded Agent if policy-based encryption is configured.

See About the MSDP Deduplication Multi-Threaded Agent.

Duplication and replication encryption

For duplication and replication, the deduplication plug-in on MSDP servers encrypts the data for transfer. The data is encrypted during transfer from the plug-in to the NetBackup Deduplication Engine on the target storage server and remains encrypted on the target storage.

The MSDP pd.conf file OPTDUP_ENCRYPTION parameter controls duplication and replication encryption for individual hosts. By default, duplication and replication encryption is disabled on the MSDP storage server and on the MSDP load balancing servers. If you want duplication and replication encryption, you must enable it on the following MSDP servers:

  • The load balancing servers.

  • The storage server.

Duplication and replication encryption does not apply to clients.

NetBackup chooses the least busy host to initiate and manage each duplication job and replication job.

See Configuring encryption for MSDP optimized duplication and replication.

NetBackup 8.0 introduced the Advanced Encryption Standard 256 bit, CTR (AES) encryption algorithm to Media Server Deduplication Pool (MSDP). The AES encryption algorithm replaces the older Blowfish encryption algorithm.

See About the rolling data conversion mechanism for MSDP.

See MSDP encryption behavior and compatibilities.

Feedback

Was this page helpful?
Previous

About MSDP compression

Next

MSDP compression and encryption settings matrix

Feedback

Was this page helpful?