How NetWorker NMM SQL AES backups and restores work.

To explain how AES works with Networker , and NMM SQL backups  consider the following. 

There are two parts to AES encryption.  
Server and client 
For Server ; it supports AES always;   only 1 thing changes on server that affects restores = that is =  

datazone pass phrase  

For client ; it also supports AES ;  it needs 2 parts   

   1.  to enable AES on the the backup;  
   
   That is accomplished with      nsrsqlsv -f aes    

   when this -f aes is omitted; backup is not encrypted with aes   restore then will work normally without any pass phrase.

   2.  to enable AES pass phrase on restore 
   
   That is accomplished with  nsrsqlrc  -e passphrase 
   
   IMPORTANT  
   
   -e passphrase is needed ONLY WHEN
   
   the datazone pass phrase in Server has CHANGED from what was used in backup ; 
   
   for example when backup was made with pass1 
   and today the pass phrase changes to pass2 
   THEN client MUST use -e pass1 or it will FAIL.  
   
   However if the pass phrase today is the SAME as pass phrase used during
   the Backup,  the client is still able to restore the backup with using -e pass1

   The server controls the pass phrase not the client. 
   The client must know what pass phrase to use on restore command if the original pass phrase has changed.

Example, 

  Server  
  pass phrase  ; backup       ;  restore ;      outcome  
  ;=================================================
i)    monday       ; with  -f aes  ;  without -e  ;  success  because pass phrase is same    
  
ii)  changed to
  tuesday     ;            -------------   ;  without -e  ;  failed !!     cannot restore because pass phrase today is tuesday 
  and backup was taken with pass phrase monday

iii)    still 
  tuesday      ;    ----------------   ;  with -e monday ; success ;  because the backup was taken with pass phrase monday  
  and restore used  -e monday 

  ;=======================================

NOTE 
How AES protects the backups.

AES protects the backups if the datazone pass phrase changes.
= one needs the old pass phrase to restore 

AES protects the backups if a person tries to restore the backup from same media 
using a different Networker server which does not have the pass phrase.
=  the new Networker server wil not know the pass phrase from original server.


Networker client - for file system backups works  same way 
if backup was taken with aes and pass phrase = pass1 
and server has changed it to pass2 
then the client recover command can use -p pass1 
to recover a backup with an older pass phrase