Bingo: when you said All save sets (except the ones for the metada, i.e. for index and bootstrap backups) will always be assigned to the source client. Please explain how that is possible without using staging or cloning.
Essentially I will be running 2 different backups one from client to storage node and one from storage node to tape.
If you use at least LTO4 HW encryption can be done while writing to the tape media. Of course the device does not care how the data has been generated (backup or clone or staging).
You said:
"I know I can assign browse and retention policies to the tape backups but they would then have the storage node as the client so they wouldn't really be useful unless I wanted to run scanner on them all to find a particular saveset."
This is not correct. All save sets (except the ones for the metada, i.e. for index and bootstrap backups) will always be assigned to the source client.
A backup/save set does always belong to the client where it has been generated. This will not change when it is cloned or staged later. Just verify that yourself looking at the saveset - simply verify the client name.
As the indexes are store on the NW server, these backups belong to the NW server's client.
You are right the backup will always belong to the original client however when I do a backup of the storage node, the storage node becomes the client.
If you read the reply you will see that I was refering to WITHOUT USING staging or cloning, that is the whole point. I want to be able to encrypt the data as it stages to tape but have not been able to find a way to do it without the added expense of more liscenses from IBM for jukebox level encryption.
"... when I do a backup of the storage node, the storage node becomes the client."
Sure, it is a new backup - so what else do you expect?
It is obvious that your 'stage' process does not refer to a NW stage process.
But NW staging (nsrstage) is obviously what you need.
NW will not change the content of a save set once it has been generated. So in this case you must use the client-site encryption when you do the backup. And this is achieved by two things:
- a data zone pass phrase to the server
- an appropriate encryption directive for each client
I think I may not have explained my situation well enough
client side encryption is causing too much performance issues to the point of user not being able to log in
savesets are stored on disk on the storage node
storage node only has 4TB space which is about a week of current backups
backups must be recoverable for a year or more
all backups must be encrypted before/while being transferred to tape
The obvious answer is to use nsrstage to transfer the savesets to tape but it cannot encrypt the data, but that was the original question: can nsrstage encrypt the data?
From what I have seen or could find out the answer is no, I was just hoping someone knew a way to do that
You should really use hardware encryption. nsrstage alone, at least in available GA versions of NW, won't do encryption by itself (nsrstage is data movement from one media/pool to another and NW will only support encryption at source therefore if your backup set is not encrypted already at the time of backup, when nsrstage is run it will be moved as-is).
lalexis
2 Intern
•
253 Posts
0
May 15th, 2013 11:00
Bingo: when you said All save sets (except the ones for the metada, i.e. for index and bootstrap backups) will always be assigned to the source client. Please explain how that is possible without using staging or cloning.
Essentially I will be running 2 different backups one from client to storage node and one from storage node to tape.
lalexis
2 Intern
•
253 Posts
0
May 15th, 2013 11:00
Yes I am using LTO4 but the hardware encryption was not turned on and they want extra for that so I am trying to find another solution
bingo.1
2.4K Posts
0
May 15th, 2013 11:00
If you use at least LTO4 HW encryption can be done while writing to the tape media. Of course the device does not care how the data has been generated (backup or clone or staging).
You said:
"I know I can assign browse and retention policies to the tape backups but they would then have the storage node as the client so they wouldn't really be useful unless I wanted to run scanner on them all to find a particular saveset."
This is not correct. All save sets (except the ones for the metada, i.e. for index and bootstrap backups) will always be assigned to the source client.
bingo.1
2.4K Posts
0
May 15th, 2013 12:00
A backup/save set does always belong to the client where it has been generated. This will not change when it is cloned or staged later. Just verify that yourself looking at the saveset - simply verify the client name.
As the indexes are store on the NW server, these backups belong to the NW server's client.
lalexis
2 Intern
•
253 Posts
0
May 15th, 2013 13:00
You are right the backup will always belong to the original client however when I do a backup of the storage node, the storage node becomes the client.
If you read the reply you will see that I was refering to WITHOUT USING staging or cloning, that is the whole point. I want to be able to encrypt the data as it stages to tape but have not been able to find a way to do it without the added expense of more liscenses from IBM for jukebox level encryption.
bingo.1
2.4K Posts
0
May 15th, 2013 13:00
"... when I do a backup of the storage node, the storage node becomes the client."
Sure, it is a new backup - so what else do you expect?
It is obvious that your 'stage' process does not refer to a NW stage process.
But NW staging (nsrstage) is obviously what you need.
NW will not change the content of a save set once it has been generated. So in this case you must use the client-site encryption when you do the backup. And this is achieved by two things:
- a data zone pass phrase to the server
- an appropriate encryption directive for each client
The Admin Guide provides more details.
lalexis
2 Intern
•
253 Posts
0
May 16th, 2013 03:00
I think I may not have explained my situation well enough
The obvious answer is to use nsrstage to transfer the savesets to tape but it cannot encrypt the data, but that was the original question: can nsrstage encrypt the data?
From what I have seen or could find out the answer is no, I was just hoping someone knew a way to do that
Thanks
ble1
4 Operator
•
14.4K Posts
0
May 21st, 2013 00:00
You should really use hardware encryption. nsrstage alone, at least in available GA versions of NW, won't do encryption by itself (nsrstage is data movement from one media/pool to another and NW will only support encryption at source therefore if your backup set is not encrypted already at the time of backup, when nsrstage is run it will be moved as-is).