Encryption Key Storage

What encryption are you using?  They "key" (password) is part of local database.

I am just running the encryption directive on all my backups.

I wonder if there is a way to store the "key" on a different server so in the the event that my backup tape gets misplaced I am not giving the criminals both the data and the key at the same time

Are you saying it is metadata because it is encrypted?

If so, back to the original concern - Maybe a little more explaination would be helpful, so

If I backup my server using the encryption directive and somehow someone get a hold of my tape would they be able to restore all the data once they loaded Networker?

Assume that the phase phrase is the default setting.

You are not giving them data, but rather metadata, but without data metadata is useless.

Got me confused now

You are saying that my data is NOT encrypted using the encryption directive?

I thought we had that hammered out a year ago when I had issues with encryption.

It was my understanding that I could use either Networker or a 3rd party software/hardware to encrypt my data.

With the options at hand and a budget to live with I opted for Networker

Well, you said what if bad guys got your server, right?  They would have backup server and what do they do with it?  Without access to data on tape, vtl or disk appliance they can't do anything.  Without proper DNS they would most likely had issues starting up backup application in the first place.

Your encryption directive protects your network traffic.  Encryption on tape should be done with other software (most likely you use LTO so to protect data on tape you just need key management station - note that this is something happening outside NW world).

Imagine that you data is encrypted on tape.  Now, in case you loose backup server how do you scan it?  You need old password, right?  OK, imagine you have one.  Where is password option for scanner?  There isn't one.  Your data traffic is encrypted, but not data on tapes.  That's my understanding.  If you have two servers, give it a try:

- create text file

- do backup of text file to tape

- move tape to second server

- scan it

- restore text file and see if you can read it in plain text

Of course I could be wrong, but I believe I remember it has been mentioned on this forum that encryption used by NW is solely used for traffic from client to storage node. Wonder how that works with DD Boost.  I can only assume that if this is valid for ssid on tape that scanner would check against phrase set on server properties, but scanner was always acting outside server so there is enough place for doubt.  If I were you, I would test it first.

Hi, The answers below are assuming that you want to use encryption using directives. Incase you are using hardware encryption via encryption card on the tape drives then NetWorker no information about this, you can check the KMS documents for more info.

a. Where is the metadata stored?

The pass phrase is stored in the res database and the information regarding the encrypted saveset is stored in the media database.

b. Is it stored encrypted?

The media database is a SQLite database, i hope that answers your question.

And the last, sorry if it sounds foolish:

c. Can I apply an Encryption Directive if my networker server don't have a Restricted Zone difined? Where do I see if its applied to a client, for example?

I assume by "Restricted Zone" do you mean multi tenancy. You don't need multi tenancy for applying encryption. The client with the AES encryption directive is the one that is being encrypted.

can someone help me with the step by step process for encryption. If there any doc which could help me enable for my environment . I have never tried encryption in my Networker..

Version : 18.2 

You will find the key information in the Admin Guide > chapter 6 (Backing Up Data) > Encryption .

My suggestion - don't used NetWorker software based encryption. It is going to impact your performance drastically.