Backup Exec 11d, 12.0, 12.5, and 2010. Best Practices Guide: Software Encryption
The Symantec Backup Exec Administrator's Guide is an excellent resource for the planning and implementation of backup strategies. The information in this document is provided as a supplement to the informaiton contained in the Customizing Backup Options > About Encryption section of the Administrator's Guide. For more information regarding the terms and usage used in this document, please refer to the Administrator's Guide.
Encryption keys require a pass phrase, which is similar to a password. Pass phrases are usually longer than passwords and are comprised of several words or groups of text. A good pass phrase is between eight and 128 characters. The minimum number of characters for 128-bit AES encryption is eight. The minimum number of characters for 256-bit AES encryption is 16. Symantec recommends that you use more than the minimum number of characters.
Also, a good pass phrase contains a combination of upper and lower case numbers, letters, and special characters. Lliterary quotations should be avoided in pass phrases.
A pass phrase can include only printable ASCII characters, which are characters 32 through 126. ASCII character 32 is the space character, which is entered using the space bar on the keyboard. ASCII characters 33 through 126 include the following
The following Best Practices will help ensure smooth operations when using Backup Exec:
- Keep the Pass Phrase safe and secure. If there is not a backup of the Backup Exec database and the Pass Phrase is forgotten, data from an encrypted set cannot be restored. If this situation occurs Symantec will not be able to assist with restoring the encrypted data.
- When using software encryption it is not recommended to use hardware compression. If the data must be both encrypted and compressed and hardware encryption is not available, it is recommended to use software compression. When using software compression the data is compressed first and then encrypted. When using software encryption with hardware compression, the data is encrypted first and then compressed. Encrypted data does not compress well because the data is randomized. In some cases using hardware compression with software encryption will cause the data to become larger rather than smaller.
- Software compression should be used with software encryption for a backup job. First, Backup Exec compresses the files and then it encrypts them. However, backup jobs will take longer to complete when both software encryption and software compression are used.
- Backup sets using Granular Restore Technology (GRT) will not be encrypted when using Backup to Disk (B2D). GRT sets to tape can be encrypted. If the GRT sets must be encrypted on disk then it is recommended to use File System encryption to encrypt the B2D folder. When using File System encryption it is recommended to perform a test restore to make sure sufficient privileges are granted to the logon account to be able to access the encrypted data.