Backup Exec Best Practices
- Backup Exec Best Practices
Best practices for Backup Exec database encryption keys
Best practices include tips and recommendations to help you use Backup Exec to manage the database encryption feature effectively. For more information about database encryption, see the Backup Exec Administrator's Guide.
The following best practices can help ensure the effective operation of database encryption:
Export the database encryption key immediately after you install Backup Exec to ensure that you have a copy of it in the event of a server failure.
To export the database encryption key, complete the following steps:
Click the Backup Exec button, select, and then click .
In the left pane, select.
In thefield, type the location to which you want to export the encryption key.
The key is exported to the location that you specified. The key is named with a unique hash value. Backup Exec uses the name to identify the key later. Do not change the key's file name or file contents. If you want to export the key to additional locations, repeat the previous steps.
Make sure that you export the database encryption key to a location that meets the following criteria:
The destination is either on a physical volume that is assigned to a drive letter or a network share that is specified by a UNC path (network shares that are mapped to drive letters are not supported).
The destination has enough disk space.
The destination is accessible from the Backup Exec server.
Backup Exec has permission to write to the destination.
Save the database encryption key to a secure location. Veritas recommends that you save the key to an off-site location for increased security. It is your responsibility to ensure that the database encryption key is backed up.
Exercise caution when you configure access rights for the Data folder in the Backup Exec install directory. The Data folder contains the Backup Exec Database, SSL certificates, and database encryption keys as well as other critical data. The Data folder is protected from unauthorized access using Windows Access Control Lists (ACL). You should ensure that only trusted users can access the Data folder.
Refresh the database encryption keys periodically. Refreshing the database encryption keys helps to protect the server from any attacks that might try to decipher the keys.
For more information about refreshing the database encryption keys, refer to the Backup Exec Administrator's Guide.