How to determine if Netbackup client is performing encrypted backups after setting the Encryption attribute in NetBackup policies.
Problem
Solution
How to determine if Netbackup client is performing encrypted backups after setting the Encryption attribute in NetBackup policies.
Method 1:
Create a Test policy and backup a small folder on the client that has been configured to perform encrypted backup.
Verify that the backup completes successfully
Rename the Keyfile.dat within the C:\Program Files\VERITAS\NetBackup\var folder
Try to restore the folder that was backed up earlier.
In NetBackulp 6.x, the job fails with a generic error …
(66.001) INF - TAR PARTIALLY RESTORED 0 FILES
(66.001) Status of restore from image created 2/23/2009 7:43:07 PM = file read failed
(66.xxx) INF - Status = the restore failed to recover the requested files.
The client tar log has these details...
An Exception of type [Veritas::NetBackup::Ncf::InvalidStateException] was thrown. Details about the exception follow...:
Error code = (-1006).
Src file = (Encryptor.cpp).
Src Line = (785).
Description = (Errors in initialisation stage).
[624.4592] <4> tar_base::V_vTarMsgW: INF - tar message received from tar_restore_tfi::processException
[624.4592] <2> tar_base::V_vTarMsgW: FTL - tar file read error
[624.4592] <2> tar_base::backup_finish: TAR - restore: 0 files
In NetBackup 7.x, with Standard encryption, the information for the failed backup is different.
In the job details:
end Restore; elapsed time: 00:00:17 MS-Windows policy restore error(2808)
Info tar32(pid=5280) done. status: 50: client process aborted
Error bpbrm(pid=4760) client restore EXIT STATUS 50: client process aborted
Note: The job fails as an incomplete job, with a status of 2808.
In the client tar log:
10:24:21.024 AM: [5280.3172] <32> Encryptor::setDecryptionInfo[2](): FTL - Internal error. Please report: m_initialized at line 610, function Encryptor::setDecryptionInfo[2](), module @(#) $Source: src/ncf/tfi/lib/Encryptor.cpp,v $ $Revision: 1.41 $
Method 2:
Capture the verbose logs of the bpbkar process on the client during an encrypted backup.
The bpbkar log will have these entries for each file that is backed up….
<4> PackerTAR::startObject(): INF - Data Encryption is turned ON.
<4> PackerTAR::writeEncryptionInfo(): INF - Encryption Type ID = (0)
Note: In NetBackulp 7.x, when Standard encryption is used, the bpbkar log file will not contain these entries.
Method 3:
When the backup is successfully encrypted, the header file in the images database should have the ENCRYPTION value set to 1 or 2. For non-encrypted backups, this value will be 0.
Up until NetBackup 7.5, the header file is available for inspection in the images database. In NetBackup 7.5, the header file may be exported with the cat_export command, and then inspected. The line in the header file will appear as follows:
ENCRYPTION 2
Applies To
Netbackup 6.x
Netbackup 7.x
A brief overview of the Encryption feature of Netbackup
- The Encryption attribute determines whether the backup should be encrypted.
- When the server initiates the backup, it passes on the Encryption policy attribute to the client in the backup request.
- The client compares the Encryption policy attribute to the Encryption host properties for the client.
- If the encryption permissions for the client are set to REQUIRED or ALLOWED, the policy can encrypt the backups for that client.
- The encryption of data is always done by the remote client that you are backing up.
- The Netbackup client is capable of of performing encrypted backup but this feature needs to be activated from the Master server.
- Once encryption is enabled (from the Master), the Remote server receives a file called Keyfile.dat and is stored locally on that client.
- During backup, the encrypted data travels over the network and is written to disk or tape.
- During restore, the presence of the Keyfile.dat (on the client) determines if the restore will happen or not.