Description
Backup Exec GDPR Guard
Contents
Import a List of Files to Block
Acceptable Entries in the ServerName Column
Acceptable Entries in BlockedFileFullPath Column
GDPR Guard in a Central Admin Server Environment
Beyond normal protection of data using backup and duplicate operations, Backup Exec now offers the ability to manage and report data related to “forget me” or blocking requests that align with data protection and privacy laws such as GDPR.
Privacy laws such as GDPR contain the “right to be forgotten” which means purging of data, including from backups and Disaster Recovery (DR) copies. However, data in backups and DR copies must be kept in accordance with retention policies, it may not be possible to purge personal data immediately.
Backup Exec GDPR Guard allows Administrators to create blocking requests for files stored in backups and DR copies that prevents files with sensitive data from being restored. GDPR Guard ensures that even though the data cannot be permanently erased from storage immediately:
- The data as well as metadata cannot be viewed nor restored back to production systems
- Data is kept well protected using encryption
- Offline information does not become available online
Backup Exec GDPR Guard collects data about files to be blocked. Blocked file data is stored in Persisted Files that are encrypted and access controlled. Files to be forgotten are blocked so that they cannot be found in a search of backup data, cannot be viewed and cannot be restored. It also maintains an audit trail for the import/export of blocked files lists and when a restore is run that includes files that are blocked from being restored. An override is available that allows the System Logon Account owner to disregard the files to be forgotten list and restore files that have been flagged as blocked.
The blocked files list is imported into Backup Exec using the Backup Exec Command Line Interface (BEMCLI) utilizing a file in CSV format.
Import a List of Files to Block
A new command in BEMCLI can be used to provide Backup Exec with a list of files that should be blocked from restore. This command allows files to be “forgotten” even though they still exist in backup data. The new command is: Import-BEItemstoBlock.
Command Syntax:
Import-BEItemsToBlock -CsvFilePath <String> -ColumnNameForServerName <String> ‑ColumnNameForBlockedItemPath <String> -LogFilePath <String> -ResetIfCorrupted
When the command “Import-BEItemsToBlock” is entered into BEMCLI without any parameters, there will be a prompt for each of the mandatory parameters: CsvFilePath, ColumnNameForServerName and ColumnNameforBlockedItemPath.
Mandatory Parameters |
Description |
CsvFilePath <String> |
Specifies the full path and file name of the CSV file. The CSV file must be located on a local drive. Only one CSV file can be imported at a time. |
ColumnNameForServerName <String> |
Specifies the column name in the CSV file with the server name information |
ColumnNameForBlockedItemPath <String> |
Specifies the column name in the CSV file containing the full path of the blocked item |
Optional Parameters |
Description |
ResetIfCorrupted |
Specifies to run the Import-BEItemsToBlock command to reset the internal list only if it is corrupted. Can only be run by the owner of System Logon Account user |
LogFilePath <String> |
Specifies the location where the log file is created. No log file is generated if the import command is successful. By default, the log file will be generated in Logs folder under BE installation directory |
There is no command to edit the blocked files list or to remove individual entries after import.
Import Command Output
There is no output generated from the Import-BEItemsToBlock command if it is successful.
If the command fails, an appropriate exception is returned.
Items containing incorrect information are not imported by the operation. Information about items not imported is displayed in the output. The log file contains more details about the blocked items that are not imported.
- If there are files in input CSV that were imported previously, then those records will be reported in the count of successfully inserted records. Duplicate records are not reported separately.
- Possible reasons for records not being imported are:
- Invalid server name information
- Invalid file path information
- Missing server name, missing file path, or incomplete values
Import CSV File Format
The Import CSV file contains information about the files to be blocked, specifically the server name and the full path of the file(s) to be blocked. The CSV file must have column names specified in the top row. Blocked items can be located on any Backup Exec-protected servers, Windows or Linux. The input CSV file can contain file path information for multiple servers. NDMP servers are not supported for blocked item processing.
Example Blacklist.CSV:
ServerName, BlockedFileFullPath
W16_Opps_14.MS.LOCAL, "F:\CustData\APJ\Customer_List.XLSX"
W16_Opps_21.MS.LOCAL, “H:\CustData\AMS\*.XLSX”
W16_Opps_09.MS.LOCAL, “H:\CustData\EMEA\*.*”
ServerName column: Server names in the CSV must either be an FQDN or a name as seen on the Servers tab in the Backup Exec console. If any other server name is specified for a blocked item, the item will be rejected by the import command.
BlockedFileFullPath column: Contains the file name with the full path. The path should start from the volume or share name. The wildcard ‘*’ can be used to specify a set of items within a folder. For example, H:\Folder1\*.txt or H:\*.* are acceptable entries in this column.
Any additional columns will be ignored.
The Import CSV file can use the following character encoding:
- ANSI or Native character set that depends on the locale configured for the system
- UTF-8 file with Byte Order Marking (BOM)
- UTF-16 Little Endian with BOM
- UTF-16 Big Endian with BOM
The import command does not function properly if the Import CSV file contains strings from multiple locales.
An Import CSV file can have rows for new entries appended and be re-imported to extend the existing list of files blocked by GDPR Guard. Entries added during previous imports will be ignored if imported again.
Acceptable Entries in the ServerName Column
Server names in the Import CSV file must match the server name as it appears on the servers list in the Backup Exec console (Backup and Restore Tab > Servers Column). If the fully qualified domain name (FQDN) is used and the server appears with a different name in the Backup Exec console > servers list, ensure that the Agent for Windows is running on that server and is publishing itself to the Backup Exec server. Server names that do not match are skipped.
If Backup Exec contains two Resource Containers for the same server, one with a NetBIOS name and one with the FQDN, then separate entries must be provided in the Import CSV file. The NetBIOS server name entries will not be honoured for an FQDN resource container and vice versa.
Acceptable Entries in BlockedFileFullPath Column
The full path should always begin with volume or share. It should not contain the server name. For example: E:\folder1\a.txt and TestShare\F1\b.txt are acceptable entries.
For Linux, the file path can either begin with [ROOT] as seen in restore-browse view or it can start with ‘/’. For example: [ROOT]/home/admin/Downloads/RI/RALUS64/install.pm and /root/block/a.txt are both acceptable entries.
Folder paths cannot contain any wildcards. For example: G:\Test2\*\CatTrans.xsl and G:\*\results.txt are invalid entries.
Folder paths without file names can be specified in this column. To specify a folder path, it must end with ‘\’ or ‘/’ path delimiter. If F:\ is specified then it will block all file and folders inside F:. If ‘\’ or ‘[ROOT]\’ is specified for Linux, then it will block the whole volume. For example: [ROOT]/home/admin/Downloads/RI/VxIF/Config/ and E:\CaseTest\Folder\ToTest\ are acceptable folder entries.
Folder and file paths on Linux (non-Windows) servers are case sensitive.
File names can contain the wildcard character ‘*’, some example valid entries are:
[ROOT]/home/admin/Downloads/RI/install*.*
[ROOT]/home/admin/Downloads/RI/uninstall*
E:\GRT job backup\searchXslt\Email*Example_*.xml
E:\GRT job backup\searchXslt\Cat*.*
E:\GRT job backup\searchXslt\*results.txt
E:\Test\*.dll
E:\Folder1\*.*
F:\*.*
File names as well as folder path can NOT contain ‘?’ wildcard characters. For example: G:\Test2\searchXslt1\E?.xml and G:\Test2?\results.txt are invalid entries.
Wildcards apply to subfolders. For example: if E:\folder1\*.txt is present in CSV then it will block all txt files from E:\folder1 and all subfolders.
Export Command
Another new command in BEMCLI can be used to export the blocked files' information from GDPR Guard to a CSV file at specified location. The command is Export-BEItemsBlocked.
Command Syntax:
Export-BEItemsToBlock -CsvFilePath <String>
The CsvFilePath <String> parameter specifies the location where the exported CSV file will be written.
The exported CSV contains the server names and full paths of the Backup Exec GDPR Guard blocked items.
The exported CSV name format is: BE-BLockedFiles-TimeStamp.csv. The exported CSV file will be UTF-8 encoded with a BOM
Veritas recommends that the GDPR Guard list of blocked items should be backed up regularly by running the Export-BEItemsBlocked command. The exported CSV file can be used to recover the GDPR Guard list of blocked items if it is corrupted or deleted.
Audit Logs
A new audit log category for “compliance” has been created for GDPR Guard. GDPR Guard operations reported in the audit log are: Import, Export, Restore with blocked files and Restore with Override of blocked files. Compliance audit logs are also written to the Windows Event Viewer.
Persisted File Format
The imported list of blocked files is stored in multiple BIN files in the <BE Installation folder>\Data\BLFileInfo directory. There is a unique BIN file for each volume/share resource of each protected server. For example: if there are blacklisted files corresponding to two servers, with one volume on the first server two volumes on the second server, then there will be three BIN files created:
MS5_C.bin
NEWMS.DB.LOCAL_C.bin
NEWMS.DB.LOCAL_D.bin
The BIN file name format is: servername_volume.BIN. ServerName in the BIN file name will be the same as the name displayed on the Servers tab in the Backup Exec console. This is regardless of whether the server name or an FQDN was used to specify blacklisted files in the Import CSV file. BIN files are converted to UTF-8 without a BOM regardless of the encoding used for the Import CSV file. BIN files are encrypted and the file hash is stored in the Backup Exec database. This allows GDPR Guard to check for corruption during import, export and restore operations.
GDPR Guard in a Central Admin Server Environment
Import operations can only be run on the Central Admin Server (CAS) and are blocked on Managed Backup Exec Servers (MBES).
Blocked files information and the encryption key from the CAS are automatically synced with the MBESs which will then honour the blocked items. If an MBES is not online during the import on the CAS, then blocked files information will be shared when it comes online. If a new MBES is added, blocked files information and encryption key and will be synced with that MBES. In rolling upgrades, MBESs will not honour blocked files until they are upgraded to Backup Exec 20.3. Auto-sync of key and blocked file information may take time if there is slow network connectivity between the CAS and MBESs. Until the blocked file information is synchronized, the MBES will continue to see blocked items in restore view and will be able to restore them.
If a Standalone Backup Exec server that has blocked items needs and the server is being converted to an MBES, perform these steps in the order listed:
- Export the blocked items CSV.
- On the Standalone/MBES, delete the BIN files from the Data\BLFileInfo folder under the Backup Exec installation folder.
- Convert the Standalone server to an MBES.
- Import the blocked items on CAS using the exported CSV from the Standalone/MBES.
GDPR Guard Troubleshooting
General troubleshooting for GDPR Guard is based on analysing the debug logs for the Management, Server and Engine processes. The Backup Exec Management process is responsible for all import, export and BIN file write operations. The Backup Exec Job Engine and Catalog processes are responsible for reading BIN files and performing restore, restore browse and management of export operations.
Problem |
Possible Resolutions |
|---|---|
If the import command is successful but the restore and search view continue to display and restore the blocked items |
1. Ensure that the full path of any blocked items in the Import CSV file do NOT contains a comma (,) 2. Some entries may get blocked if the full path contains a wildcard. Wildcards apply to the folder and all subfolders 3. If a server is added in Backup Exec using multiple names, such as by the NetBIOS name, FQDN, or IP address, the items are blocked only for the server name that is specified in the Import CSV file. To resolve this issue, add the blocked item entries using each server name separately in the Import CSV file. |
If some blocked items are skipped during the import operation with the reason displayed as invalid item path |
1. Ensure the full path starts with a volume or share name rather than a server name 2. Folder paths cannot contain wildcards, only file names can contain the wildcard ‘*’. |
If Import operations terminate with the error: “An error occurred while processing a blocked item. The internal list of blocked items does not exist” |
Ensure the path to the Import CSV file is correct. The Import CSV file must be on a local drive and cannot be a network location. |
If the export operation displays “An error occurred while opening the internal list of blocked items” |
Ensure the specified output folder path is valid and does not point to an invalid drive or network location. |
If some of the blocked items are displayed in the restore or search view |
1. An import operation is running that includes the same resource. 2. The integrity check failed for the internal list of blocked items. Run a restore job, the job log displays the exact reason for the failure to read from the internal list of blocked items 3. If a soft or hard link path is specified in the Import CSV file, only the link is blocked. To block the folder that the link is pointing to, specify the actual path of the folder in the Import CSV file. |
To remove a blocked file entry from an already imported CSV file, do these steps in the order listed: |
1. Run the export command. 2. Remove the entry from the generated CSV. 3. For the resource that was removed from the CSV, delete the associated BIN file from the "data\BLFileInfo" folder under the Backup Exec installation directory. 4. Run the import command again with the ResetifCorrupted parameter. |
If the restore and search view does not display results for a long time |
A large number of blocked items were added for that resource. A restore job can still be run at the folder or volume level to view the items that are restored and viewed. |
If the import CVS contains blocked items that are an unsupported type like NDMP |
The import command will accept such entries and the “Allow restore of blocked items” checkbox for restore jobs of that server will be displayed. However, the checkbox has no impact on functionality restore jobs will continue to run. |
If a resource server name is changed or a resource server is added to a domain from a workgroup |
Files blocked based on the old name will be available for restore using the server’s new name. To block the files for the new resource name, edit the Import CSV file with the new resource name and re-run the import command. |
There is a limit on the number of blocked file entries that can be present in a restore selection. For example: if restore job is restoring F:\*.* then F:\ has a maximum number of blocked file entries. |
The limit is 894784 (~8L) blocked files for BE 20.3 Agent for Windows or Agent for Linux. For older agents, the limit is 89478. If this limit is reached then the restore job will fail. |
If BEUtility is used to recover the Backup Exec Database (BEDB) |
Blocked file information is not recovered. The Import command must be run to re-establish the blocked files list. A CSV from a previously successful Export could be used. |
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.