Encryption and NetBackup performance

During the backup, encryption can be performed in any of the following ways, depending on your backup environment:

The NetBackup client performs the encryption.
The NetBackup media server performs the encryption.
The tape drive performs the encryption, together with the NetBackup Key Management Service (KMS). The tape drive must have built-in encryption capability.

Table: Encryption options and NetBackup performance describes the performance effect of each technology.

Table: Encryption options and NetBackup performance

Encryption option	Performance considerations
Client encryption (the Encryption option on the NetBackup policy attributes tab)	Data encryption (and compression) can be performed by the NetBackup client. (Use the encryption and compression options on the policy Attributes tab.) If the client has sufficient CPU resources to perform the encryption (plus the rest of its backup processing), client encryption can be an effective option. Note that when NetBackup client encryption is used, backups may run slower. How much slower depends on the throttle point in your backup path. If the network is the issue, encryption should not hinder performance. If the network is not the issue, then encryption may slow down the backup. If you multistream encrypted backups on a client with multiple CPUs, try to define one less stream than the number of CPUs. For example, if the client has four CPUs, define three or fewer streams for the backup. This approach can minimize CPU contention. See Effect of encryption plus compression on NetBackup performance. Note: Do not enable Encryption on the NetBackup policy attributes tab if backups are being written to a deduplication target, for example, an MSDP disk pool. Doing so will negatively impact the deduplication rate. Instead, enable MSDP encryption as described below.
Client encryption using MSDP	Backups that are being written to an MSDP disk pool can be encrypted using MSDP encryption. You have the option of encrypting a number of individual hosts or configuring encryption for all client direct clients. For additional information, see Configuring encryption for MSDP backups in the NetBackup Deduplication Guide.
Tape drive encryption, with the NetBackup Key Management Service (KMS)	Encryption that is performed by the tape drive has little or no effect on the backup performance. Use of this option requires the NetBackup Key Management Service (KMS). Note: The number of key groups in KMS is 100.

Encryption option

Performance considerations

Client encryption (the Encryption option on the NetBackup policy attributes tab)

Data encryption (and compression) can be performed by the NetBackup client. (Use the encryption and compression options on the policy Attributes tab.) If the client has sufficient CPU resources to perform the encryption (plus the rest of its backup processing), client encryption can be an effective option.

Note that when NetBackup client encryption is used, backups may run slower. How much slower depends on the throttle point in your backup path. If the network is the issue, encryption should not hinder performance. If the network is not the issue, then encryption may slow down the backup.

If you multistream encrypted backups on a client with multiple CPUs, try to define one less stream than the number of CPUs. For example, if the client has four CPUs, define three or fewer streams for the backup. This approach can minimize CPU contention.

See Effect of encryption plus compression on NetBackup performance.

Note:

Do not enable Encryption on the NetBackup policy attributes tab if backups are being written to a deduplication target, for example, an MSDP disk pool. Doing so will negatively impact the deduplication rate. Instead, enable MSDP encryption as described below.

Client encryption using MSDP

Backups that are being written to an MSDP disk pool can be encrypted using MSDP encryption. You have the option of encrypting a number of individual hosts or configuring encryption for all client direct clients. For additional information, see Configuring encryption for MSDP backups in the NetBackup Deduplication Guide.

Tape drive encryption, with the NetBackup Key Management Service (KMS)

Encryption that is performed by the tape drive has little or no effect on the backup performance. Use of this option requires the NetBackup Key Management Service (KMS).

Note:

The number of key groups in KMS is 100.

Encryption and NetBackup performance

Feedback

Feedback