Veritas Backup Exec Administrator's Guide
- Introducing Backup Exec
- Installation
- Methods for installing the Agent for Windows
- Using a command prompt to install the Agent for Windows on a remote computer
- Using a command script to install the Agent for Windows
- Installing the Remote Administrator
- Installing Backup Exec using the command line (silent mode)
- Backup Exec license contract information
- About upgrading to Backup Exec
- Getting Started
- Backups
- Backing up data
- Restores
- How Backup Exec catalogs work
- Job management and monitoring
- Alerts and notifications
- Enabling active alerts and alert history to display on the Home tab
- Adding a recipient group for alert notifications
- Sending a notification when a job completes
- SNMP traps for Backup Exec alerts
- Disk-based and network-based storage
- Configuring disk storage
- Configuring disk cartridge storage
- Backup sets
- Cloud-based storage devices
- Amazon S3 cloud-based storage
- Google cloud-based storage
- Microsoft Azure cloud-based storage
- Private cloud-based storage
- About S3-Compatible Cloud Storage
- About the Veritas Backup Exec™ CloudConnect Optimizer
- Legacy backup-to-disk folders
- Legacy backup-to-disk folders
- Legacy backup-to-disk folders
- Tape storage
- Robotic libraries in Backup Exec
- Creating robotic library partitions
- Managing tapes
- Creating media sets for tapes
- Labeling tape media
- Default media vaults
- Storage device pools
- Storage operations
- Conversion to virtual machines
- Configuration and settings
- Using Backup Exec with firewalls
- Deleting DBA-initiated job templates
- Backup Exec logon accounts
- Reports
- Creating a custom report
- List of Backup Exec standard reports
- Troubleshooting Backup Exec
- Troubleshooting failed components in the SAN
- Generating a diagnostic file for troubleshooting Backup Exec
- Using Backup Exec in cluster environments
- Configurations for Backup Exec and Microsoft Cluster Servers
- Disaster recovery of a cluster
- Simplified Disaster Recovery
- Setting or changing the alternate location for the disaster recovery information file
- Creating a Simplified Disaster Recovery disk image
- Preparing to recover from a disaster by using Simplified Disaster Recovery
- Recovering a computer with Simplified Disaster Recovery
- Integration with Veritas™ Information Map
- Appendix A. Veritas Backup Exec Agent for Windows
- About the Backup Exec Agent Utility for Windows
- Appendix B. Veritas Backup Exec Deduplication Option
- Creating or importing deduplication disk storage
- Selecting storage devices for direct access sharing
- Appendix C. Veritas Backup Exec Agent for VMware
- Backing up VMware virtual machines
- About instant recovery of a VMware virtual machine
- About Recovery Ready for VMware virtual machines
- Appendix D. Veritas Backup Exec Agent for Microsoft Hyper-V
- Backing up Microsoft Hyper-V virtual machines
- About instant recovery of a Hyper-V virtual machine
- About Recovery Ready for Hyper-V virtual machines
- Appendix E. Veritas Backup Exec Agent for Microsoft SQL Server
- Backing up SQL databases and transaction logs
- Restoring SQL databases and transaction logs
- Disaster recovery of a SQL Server
- Appendix F. Veritas Backup Exec Agent for Microsoft Exchange Server
- Backing up Exchange data
- Appendix G. Veritas Backup Exec Agent for Microsoft SharePoint
- Backing up Microsoft SharePoint data
- Appendix H. Veritas Backup Exec Agent for Oracle on Windows or Linux Servers
- Configuring the Oracle Agent on Windows computers and Linux servers
- Configuring an Oracle instance on Windows computers
- Viewing an Oracle instance on Windows computers
- About authentication credentials on the Backup Exec server
- About backing up Oracle databases
- About restoring Oracle resources
- Appendix I. Veritas Backup Exec Agent for Enterprise Vault
- About backup methods for Enterprise Vault backup jobs
- Restoring Enterprise Vault
- About the Backup Exec Migrator for Enterprise Vault
- Configuring the Backup Exec Migrator
- About retrieving migrated Enterprise Vault data
- About the Partition Recovery Utility
- Appendix J. Veritas Backup Exec Agent for Microsoft Active Directory
- Appendix K. Veritas Backup Exec Central Admin Server Option
- About installing the Central Admin Server feature
- What happens when CAS communication thresholds are reached
- About job delegation in CAS
- How to use Backup Exec server pools in CAS
- How centralized restore works in CAS
- Appendix L. Veritas Backup Exec Advanced Disk-based Backup Option
- Appendix M. Veritas Backup Exec NDMP Option
- About restoring and redirecting restore data for NDMP servers
- Viewing the properties of an NDMP server
- Viewing storage properties for an NDMP server
- Appendix N. Veritas Backup Exec Agent for Linux
- About installing the Agent for Linux
- About establishing trust for a remote Linux computer in the Backup Exec list of servers
- Editing configuration options for Linux computers
- About backing up a Linux computer by using the Agent for Linux
- About restoring data to Linux computers
- Editing the default backup job options for Linux computers
- Uninstalling the Agent for Linux
- Appendix O. Veritas Backup Exec Remote Media Agent for Linux
- About installing the Remote Media Agent for Linux
- About establishing trust for a Remote Media Agent for Linux computer in the Backup Exec list of servers
- About the Backup Exec operators (beoper) group for the Remote Media Agent for Linux
- About adding a Linux server as a Remote Media Agent for Linux
- Editing properties for the Remote Media Agent for Linux
- Creating a simulated tape library
- Viewing simulated tape libraries properties
- Appendix P. Accessibility and Backup Exec
- About keyboard shortcuts in Backup Exec
- Backup and Restore tab keyboard shortcuts
- Storage tab keyboard shortcuts
Using encryption with Backup Exec
Backup Exec provides you with the ability to encrypt data. When you encrypt data, you protect it from unauthorized access. Anyone that tries to access the data has to have an encryption key that you create. Backup Exec provides software encryption, but it also supports some devices that provide hardware encryption with the T10 standard. Backup Exec configures encryption when you specify which storage devices that you want to use for a backup job.
Backup Exec supports two security levels of encryption: 128-bit Advanced Encryption Standard (AES) and 256-bit AES. The 256-bit AES encryption provides a stronger level of security because the key is longer for 256-bit AES than for 128-bit AES. However, 128-bit AES encryption enables backup jobs to process more quickly. Hardware encryption using the T10 standard requires 256-bit AES.
When you run a duplicate backup job, any backup sets that are already encrypted are not re-encrypted. However, you can encrypt any unencrypted backup sets.
This topic includes the following information:
Restricted keys and common keys
When you install Backup Exec, the installation program installs encryption software on the Backup Exec server and on any remote computers that use a Backup Exec agent. Backup Exec can encrypt data at a computer that uses a Backup Exec agent, and then transfer the encrypted data to the Backup Exec server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to disk storage.
Backup Exec encrypts the following types of data:
User data, such as files and Microsoft Exchange databases.
Metadata, such as file names, attributes, and operating system information.
On-tape catalog file and directory information.
Backup Exec does not encrypt Backup Exec metadata or on-disk catalog file and directory information.
You can use software compression with encryption for a backup job. First Backup Exec compresses the files, and then encrypts them. However, backup jobs take longer to complete when you use both encryption compression and software compression.
Veritas recommends that you avoid using hardware compression with software encryption. Hardware compression is performed after encryption. Data becomes randomized during the encryption process. Compression does not work effectively on data that is randomized.
Backup Exec supports hardware encryption for any storage devices that use the T10 encryption standard. When you use hardware encryption, the data is transmitted from the host computer to the storage device and then encrypted on the device. Backup Exec manages the encryption keys that are used to access the encrypted data.
Backup Exec only supports approved devices for T10 encryption.
You can find a list of compatible devices at the following URL:
http://www.veritas.com/docs/000017788
Note:
Hardware encryption that uses the T10 standard requires 256-bit AES. Backup Exec does not let you enable hardware encryption for a job unless it uses at least a 16-character pass phrase.
You must create encryption keys to use encryption in Backup Exec. When a user creates an encryption key, Backup Exec marks that key with an identifier based on the logged-on user's security identifier. The person who creates the key becomes the owner of the key.
If you use encryption for synthetic backups, all of the associated backups must use the same encryption key. Do not change the encryption key after the baseline is created. The encryption key that you select for the baseline backup is automatically applied to all associated backups.
When you select encrypted data for restore, Backup Exec verifies that encryption keys for the data are available in the database. If any of the keys are not available, Backup Exec prompts you to recreate the missing keys. If you delete the key after you schedule the job to run, the job fails.
If Backup Exec cannot locate an encryption key while a catalog job is running, Backup Exec sends an alert. You can then recreate the missing encryption key if you know the pass phrase.
Simplified Disaster Recovery supports the recovery of computers with previously encrypted backup sets. If you have Simplified Disaster Recovery backups that are encrypted during backup, the Recover This Computer wizard prompts you for the pass phrase of each encrypted backup set that is required to complete the recovery.
See Encryption key management.
Backup Exec has the following types of encryption keys:
Table: Types of encryption keys
Key type | Description |
---|---|
Common | Anyone can use the key to encrypt data during a backup job and to restore encrypted data. |
Restricted | Anyone can use the key to encrypt data during a backup job, but users other than the key owner must know the pass phrase. If a user other than the key owner tries to restore the encrypted data, Backup Exec prompts the user for the pass phrase. If you cannot supply the correct pass phrase for the key, you cannot restore the data. |
Encryption keys require a pass phrase, which is similar to a password. Pass phrases are usually longer than passwords and are comprised of several words or groups of text. A good pass phrase is between 8 and 128 characters. The minimum number of characters for 128-bit AES encryption is eight. The minimum number of characters for 256-bit AES encryption is 16. Veritas recommends that you use more than the minimum number of characters.
Note:
Hardware encryption that uses the T10 standard requires 256-bit AES. Backup Exec does not let you enable hardware encryption for a job unless it uses at least a 16-character pass phrase.
Also, a good pass phrase contains a combination of upper and lower case letters, numbers, and special characters. You should avoid using literary quotations in pass phrases.
A pass phrase can include only printable ASCII characters, which are characters 32 through 126. ASCII character 32 is the space character, which is entered using the space bar on the keyboard. ASCII characters 33 through 126 include the following:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ
[\]^_'abcdefghijklmnopqrstuvwxyz{|}~