In order to try and eleviate our performance problem we have decided to NOT encrypt the data as it is backed up to disk.
The problem is we need to have the data encrypted when it is moved to tape
Is there any way to do that with staging or cloning?
I want to be able to browse for at least 3 weeks and retain for 14 months but only have disk space for 6 days.
Staging would be the perfect solution if I could encrypt the data because it will clean the disk when it is done.
I know I can make another group and have that save/encrypt the data that is on disk but then I lose the browse and retention policies and am stuck with the task of cleanup of the disk.
How would I leave just the latest backup or 2 on disk and clean all the rest out?
I know I can assign browse and retention policies to the tape backups but they would then have the storage node as the client so they wouldn't really be useful unless I wanted to run scanner on them all to find a particular saveset.
So can I encrypt a staging session?
If not is there another solution other than mentioned above?
If you use at least LTO4 HW encryption can be done while writing to the tape media. Of course the device does not care how the data has been generated (backup or clone or staging).
"I know I can assign browse and retention policies to the tape backups but they would then have the storage node as the client so they wouldn't really be useful unless I wanted to run scanner on them all to find a particular saveset."
This is not correct. All save sets (except the ones for the metada, i.e. for index and bootstrap backups) will always be assigned to the source client.
Bingo: when you said All save sets (except the ones for the metada, i.e. for index and bootstrap backups) will always be assigned to the source client. Please explain how that is possible without using staging or cloning.
Essentially I will be running 2 different backups one from client to storage node and one from storage node to tape.
A backup/save set does always belong to the client where it has been generated. This will not change when it is cloned or staged later. Just verify that yourself looking at the saveset - simply verify the client name.
As the indexes are store on the NW server, these backups belong to the NW server's client.
You are right the backup will always belong to the original client however when I do a backup of the storage node, the storage node becomes the client.
If you read the reply you will see that I was refering to WITHOUT USING staging or cloning, that is the whole point. I want to be able to encrypt the data as it stages to tape but have not been able to find a way to do it without the added expense of more liscenses from IBM for jukebox level encryption.
"... when I do a backup of the storage node, the storage node becomes the client."
Sure, it is a new backup - so what else do you expect?
It is obvious that your 'stage' process does not refer to a NW stage process.
But NW staging (nsrstage) is obviously what you need.
NW will not change the content of a save set once it has been generated. So in this case you must use the client-site encryption when you do the backup. And this is achieved by two things:
- a data zone pass phrase to the server
- an appropriate encryption directive for each client
The Admin Guide provides more details.
I think I may not have explained my situation well enough
The obvious answer is to use nsrstage to transfer the savesets to tape but it cannot encrypt the data, but that was the original question: can nsrstage encrypt the data?
From what I have seen or could find out the answer is no, I was just hoping someone knew a way to do that
You should really use hardware encryption. nsrstage alone, at least in available GA versions of NW, won't do encryption by itself (nsrstage is data movement from one media/pool to another and NW will only support encryption at source therefore if your backup set is not encrypted already at the time of backup, when nsrstage is run it will be moved as-is).