How NetWorker NMM SQL AES backups and restores work

Summary: This article explains how NetWorker Module for Microsoft (NMM) uses advanced encryption standard (AES) encryption for backups and restores.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

To explain how AES works with NetWorker, and NMM SQL backups, consider the following. 

There are two parts to AES encryption; Server and client. 
For the Server, it supports AES always; only one thing changes on the server that affects restores.

Datazone Pass Phrase.  

For the client, it also supports AES but it requires two parts.   

   1.  To enable AES on the backup;  
   
   That is accomplished with nsrsqlsv -f aes    

   When this -f aes is omitted; backup is not encrypted with AES restore works without any pass phrase.

   2.  To enable AES, pass phrase on restore: 
   
   That is accomplished with nsrsqlrc -e passphrase 
  
   -e passphrase is needed only when the datazone pass phrase in Server has changed from what was used in backup.
   
   For example, when backup was made with pass1, and today the pass phrase changes to pass2, the client must use -e pass1 or it fails.  
   
   If the pass phrase today is the same as pass phrase used during the backup, the client is still able to restore the backup using -e pass1.

   The server controls the pass phrase not the client. 
   The client must know what pass phrase to use on a restore command if the original pass phrase has changed.

Example:

Server  
  pass phrase  ; backup       ;  restore ;      outcome  
  ;=================================================
i)    monday       ; with  -f aes  ;  without -e  ;  success  because pass phrase is same    
  
ii)  changed to
  tuesday     ;            -------------   ;  without -e  ;  failed !!     cannot restore because pass phrase today is tuesday 
  and backup was taken with pass phrase monday

iii)    still 
  tuesday      ;    ----------------   ;  with -e monday ; success ;  because the backup was taken with pass phrase monday  
  and restore used  -e monday 

  ;=======================================

How AES protects the backups.
AES protects the backups if the datazone pass phrase changes.
AES protects the backups if a restore from same media using a different NetWorker server which does not have the pass phrase. The new NetWorker server does not have the pass phrase from the original server.

NetWorker client for file system backup works the same way. If backup was taken with AES and passes phrase pass1, and server has changed it to pass2, the client recover command can use -p pass1 to recover a backup with an older pass phrase.

Additional Information

NetWorker: How to backup and recover client data using AES encryption

Affected Products

NetWorker, NetWorker Module for Microsoft

Products

NetWorker Family, NetWorker Module
Article Properties
Article Number: 000180979
Article Type: How To
Last Modified: 14 نيسان 2026
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.