Exporting the Backup Exec Database encryption key

Exporting the Backup Exec Database encryption key

Article: 100014505
Last Published: 2020-05-11
Ratings: 18 9
Product(s): Backup Exec


Backup Exec 15 and later stores sensitive information in the Backup Exec Database using encryption. A database encryption key is used to encrypt information such as login account credentials and the keys that are used for encrypted backup jobs, for example.

You are required to provide the Backup Exec Database encryption key for each of the following scenarios:

  • Performing a manual disaster recovery of a Backup Exec server
  • Performing a disaster recovery of a Backup Exec server using Simplified Disaster Recovery (SDR)
  • Migrating Backup Exec from one computer to another computer
  • Resolving any situations in which the database encryption key on the Backup Exec server is corrupted or goes missing

Because of the importance of having the encryption key for these scenarios, Veritas recommends that you back up the Backup Exec Database encryption key. You can back up the key by exporting it to a secure location so that you can access it later if it is needed.

Note: When you perform a rolling upgrade in a CASO environment, the database encryption key for the central administration server is only generated when all of the managed Backup Exec servers are upgraded to the current version of Backup Exec. The Home Page with the Backup Exec administration console will show the message "Database Encryption Key Has Not Been Created." in this instance


Error Message

Backup Exec Database Encryption Key Warning:

The Backup Exec Database encryption key has not been backed up yet. It is recommended that you export the key to a secure location to ensure that you can migrate or recover the Backup Exec server later. To export the key, click the Backup Exec button and then select Backup Exec Settings > Database Maintenance and Security > Export.





Complete the following procedure to export a copy of the database encryption key.

Make sure that you export the database encryption key to a location that meets the following criteria:

  • The destination is either on a physical volume that is assigned to a drive letter or a network share that is specified by a UNC path (network shares that are mapped to drive letters are not supported)
  • The destination has enough disk space
  • The destination is accessible from the Backup Exec server
  • Backup Exec has permission to write to the destination.

Note: You should repeat the following procedure on each Backup Exec server in your environment, including the central administration server and each managed Backup Exec server in Central Admin Server Option (CASO) deployments.

The key is exported to the location that you specified. The key is named with a unique hash value and with .dek extension (i.e. a1234b89.dek). Backup Exec uses the name to identify the key later. Do not change the key's file name or file contents. If you want to export the key to additional locations, repeat steps 3 and 4.

  1. Click the Backup Exec button, select Configuration and Settings, and then click Backup Exec Settings.
  2. In the left pane, select Database Maintenance and Security.
  3. In the Path field, type the location to which you want to export the encryption key.
  4. Click Export.
  5. Click OK.

Applies to Backup Exec 15 and above.



Etrack : 3674221

Was this content helpful?