Custom directive, how do I verify encryption is working?

Question

I created a custom directive that combined the encryption ASM with a bunch of skips for SQL files that are already getting backed up with a MSSQL: saveset. Here's the directive I created: << / >> +aes: * <<'c:\'>> +skip:*.mdf +skip:*.ldf +skip:*.bak +skip:*.dat <<'d:\'>> +skip:*.mdf +skip:*.ldf +skip:*.bak +skip:*.dat I am running Networker 7.62 on Windows 2008 R2 with a Datadomain (OS: 5.0.2.3-259543 Model: DD860) using DDBoost. I have verified that the backup is skipping the intended files but how do I verify that the encryption is working?

rochem1 · Accepted Answer

To determine whether a file has had the encryptasm applied (or any other asm type) you can use the nsrinfo command. The aes display has been there since NetWorker 7.5.

An example for a specific file is below. You could do the -n namespace and display all the files (or grep for asm_type=aes)

/usr/sbin/nsrinfo -N /clientfilenamethatshouldbeencrypted client.example.com

scanning client `client.example.com' for all savetimes from the backup namespace

/clientfilenamethatshouldbeencrypted , date=1239408074 Fri Apr 10 17:01:14 2009, asm_type= aes

ble1 · Answer

2 approaches:- check dedupe ratio on save set.&#xa0; If it sucks, aes encryption is on - do restore and check content of files - if filled with zeros, it works

Sam_Powell · Answer

LOL!  I thought I remembered a flag being set somewhere that I could check.  I will remove the passphrase and try to do a restore and see what's in the file!

ble1 · Answer

Indeed, there is a flag with scanner and restore to specify passphrase, but to my knowledge I haven't seen any flag with mminfo to see if backup set is encrypted or not. I would argue that is something that EMC would need to add for sure as that checking out this with mminfo would be piece of cake.

Sam_Powell · Answer

Awesome! That got me almost all the way there! Maybe it's just the difference between Unix and windows, but I needed to add a -v to the command.

C:\Users\ITBACKUP>nsrinfo -v -N "R:\xxxx\DEPARTMENTS\I T\SPOWELL\Backup_Test_File_2012_10_10.txt" homedata

scanning client `homedata' for all savetimes from the backup namespace

WIN ASDF v2 file `R:\xxxx\DEPARTMENTS\I T\SPOWELL\Backup_Test_File_2012_10_10.txt', NSR size=812, date=1349942424 10/11/2012 1:00:24 AM, asm-type= aes, file size=66

1 objects found

For completeness sake, here's the output with a capital V. It doesn't list the asm-type...

C:\Users\ITBACKUP>nsrinfo -V -N "R:\xxxx\DEPARTMENTS\I T\SPOWELL\Backup_Test_File_2012_10_10.txt" homedata

scanning client `homedata' for all savetimes from the backup namespace

R:\xxxx\DEPARTMENTS\I T\SPOWELL\Backup_Test_File_2012_10_10.txt, size=812, off=3671214208, app=backup(1), date=1349942424 10/11/2012 1:00:24 AM

1 objects found

Thanks a ton! I knew there was a flag somewhere. Odd that it's not available from mminfo though...

rochem1 · Answer

The nsrinfo utility utilizes indexdb which has the information on each file in the saveset. The mminfo utility uses mmdb which does not have the granularity of the file within the saveset.

Using mminfo would have resulted in reporting that a saveset contains an encrypted file but not the reporting of the individual file. The use of nsrinfo allowed for reporting of an individual file within a saveset.

ble1 · Answer

Indeed, makes sense.

NetWorker

Was this post helpful?