Backup Exec 20.2 Administrator's Guide
- Introducing Backup Exec
- Installation
- Methods for installing the Agent for Windows
- Using a command prompt to install the Agent for Windows on a remote computer
- Using a command script to install the Agent for Windows
- Installing the Remote Administrator
- Installing Backup Exec using the command line (silent mode)
- Backup Exec license contract information
- About upgrading to Backup Exec
- Getting Started
- Backups
- Backing up data
- Restores
- How Backup Exec catalogs work
- Job management and monitoring
- Alerts and notifications
- Enabling active alerts and alert history to display on the Home tab
- Adding a recipient group for alert notifications
- Sending a notification when a job completes
- SNMP traps for Backup Exec alerts
- Disk-based and network-based storage
- Configuring disk storage
- Configuring disk cartridge storage
- Backup sets
- Cloud-based storage devices
- Amazon S3 cloud-based storage
- Google cloud-based storage
- Microsoft Azure cloud-based storage
- Private cloud-based storage
- About S3-Compatible Cloud Storage
- About the Backup Exec™ CloudConnect Optimizer
- Legacy backup-to-disk folders
- Legacy backup-to-disk folders
- Legacy backup-to-disk folders
- Tape storage
- Robotic libraries in Backup Exec
- Creating robotic library partitions
- Managing tapes
- Creating media sets for tapes
- Labeling tape media
- Default media vaults
- Storage device pools
- Storage operations
- Conversion to virtual machines
- Configuration and settings
- Using Backup Exec with firewalls
- Deleting DBA-initiated job templates
- Backup Exec logon accounts
- Reports
- Creating a custom report
- List of Backup Exec standard reports
- Instant Cloud Recovery
- Preconfigurations to be completed in the Azure portal
- Troubleshooting Backup Exec
- Troubleshooting failed components in the SAN
- Generating a diagnostic file for troubleshooting Backup Exec
- Using Backup Exec in cluster environments
- Configurations for Backup Exec and Microsoft Cluster Servers
- Disaster recovery of a cluster
- Simplified Disaster Recovery
- Setting or changing the alternate location for the disaster recovery information file
- Creating a Simplified Disaster Recovery disk image
- Preparing to recover from a disaster by using Simplified Disaster Recovery
- Recovering a computer with Simplified Disaster Recovery
- Performing manual disaster recovery
- Integration with Veritas™ Information Map
- Appendix A. Backup Exec Agent for Windows
- About the Backup Exec Agent Utility for Windows
- Appendix B. Backup Exec Deduplication Feature
- Creating or importing deduplication disk storage
- Selecting storage devices for direct access sharing
- Appendix C. Backup Exec Agent for VMware
- About establishing trust for a vCenter/ESX(i) server
- Backing up VMware virtual machines
- About instant recovery of a VMware virtual machine
- About Recovery Ready for VMware virtual machines
- Appendix D. Backup Exec Agent for Microsoft Hyper-V
- Backing up Microsoft Hyper-V virtual machines
- About instant recovery of a Hyper-V virtual machine
- About Recovery Ready for Hyper-V virtual machines
- Appendix E. Backup Exec Agent for Microsoft SQL Server
- Backing up SQL databases and transaction logs
- Restoring SQL databases and transaction logs
- Disaster recovery of a SQL Server
- Appendix F. Backup Exec Agent for Microsoft Exchange Server
- Backing up Exchange data
- Appendix G. Backup Exec Agent for Microsoft SharePoint
- Backing up Microsoft SharePoint data
- Appendix H. Backup Exec Agent for Oracle on Windows or Linux Servers
- Configuring the Oracle Agent on Windows computers and Linux servers
- Configuring an Oracle instance on Windows computers
- Viewing an Oracle instance on Windows computers
- About authentication credentials on the Backup Exec server
- About backing up Oracle databases
- About restoring Oracle resources
- Appendix I. Backup Exec Agent for Enterprise Vault
- About backup methods for Enterprise Vault backup jobs
- Restoring Enterprise Vault
- About the Backup Exec Migrator for Enterprise Vault
- Configuring the Backup Exec Migrator
- About retrieving migrated Enterprise Vault data
- About the Partition Recovery Utility
- Appendix J. Backup Exec Agent for Microsoft Active Directory
- Appendix K. Backup Exec Central Admin Server Feature
- About installing the Central Admin Server feature
- What happens when CAS communication thresholds are reached
- About job delegation in CAS
- How to use Backup Exec server pools in CAS
- How centralized restore works in CAS
- Appendix L. Backup Exec Advanced Disk-based Backup Feature
- Appendix M. Backup Exec NDMP Feature
- About restoring and redirecting restore data for NDMP servers
- Viewing the properties of an NDMP server
- Viewing storage properties for an NDMP server
- Appendix N. Backup Exec Agent for Linux
- About installing the Agent for Linux
- About establishing trust for a remote Linux computer in the Backup Exec list of servers
- Editing configuration options for Linux computers
- About backing up a Linux computer by using the Agent for Linux
- About restoring data to Linux computers
- Editing the default backup job options for Linux computers
- Uninstalling the Agent for Linux
- Appendix O. Backup Exec Remote Media Agent for Linux
- About installing the Remote Media Agent for Linux
- About establishing trust for a Remote Media Agent for Linux computer in the Backup Exec list of servers
- About the Backup Exec operators (beoper) group for the Remote Media Agent for Linux
- About adding a Linux server as a Remote Media Agent for Linux
- Editing properties for the Remote Media Agent for Linux
- Creating a simulated tape library
- Viewing simulated tape libraries properties
- Appendix P. Accessibility and Backup Exec
- About keyboard shortcuts in Backup Exec
- Backup and Restore tab keyboard shortcuts
- Storage tab keyboard shortcuts
Using encryption with Backup Exec
Backup Exec provides you with the ability to encrypt data. When you encrypt data, you protect it from unauthorized access. Anyone that tries to access the data has to have an encryption key that you create. Backup Exec provides software encryption, but it also supports some devices that provide hardware encryption with the T10 standard. Backup Exec configures encryption when you specify which storage devices that you want to use for a backup job.
Backup Exec supports two security levels of encryption: 128-bit Advanced Encryption Standard (AES) and 256-bit AES. The 256-bit AES encryption provides a stronger level of security because the key is longer for 256-bit AES than for 128-bit AES. However, 128-bit AES encryption enables backup jobs to process more quickly. Hardware encryption using the T10 standard requires 256-bit AES.
When you run a duplicate backup job, any backup sets that are already encrypted are not re-encrypted. However, you can encrypt any unencrypted backup sets.
For information about the best practices of Backup Exec software encryption, refer to Backup Exec Best Practices.
This topic includes the following information:
Restricted keys and common keys
When you install Backup Exec, the installation program installs encryption software on the Backup Exec server and on any remote computers that use a Backup Exec agent. Backup Exec can encrypt data at a computer that uses a Backup Exec agent, and then transfer the encrypted data to the Backup Exec server. Backup Exec then writes the encrypted data on a set-by-set basis to tape or to disk storage.
Backup Exec encrypts the following types of data:
User data, such as files and Microsoft Exchange databases.
Metadata, such as file names, attributes, and operating system information.
On-tape catalog file and directory information.
Backup Exec does not encrypt Backup Exec metadata or on-disk catalog file and directory information.
You can use software compression with encryption for a backup job. First Backup Exec compresses the files, and then encrypts them. However, backup jobs take longer to complete when you use both encryption compression and software compression.
It is recommended that you avoid using hardware compression with software encryption. Hardware compression is performed after encryption. Data becomes randomized during the encryption process. Compression does not work effectively on data that is randomized.
Backup Exec supports hardware encryption for any storage devices that use the T10 encryption standard. When you use hardware encryption, the data is transmitted from the host computer to the storage device and then encrypted on the device. Backup Exec manages the encryption keys that are used to access the encrypted data.
Backup Exec only supports approved devices for T10 encryption.
Note:
Hardware encryption that uses the T10 standard requires 256-bit AES. Backup Exec does not let you enable hardware encryption for a job unless it uses at least a 16-character pass phrase.
You must create encryption keys to use encryption in Backup Exec. When a user creates an encryption key, Backup Exec marks that key with an identifier based on the logged-on user's security identifier. The person who creates the key becomes the owner of the key.
If you use encryption for synthetic backups, all of the associated backups must use the same encryption key. Do not change the encryption key after the baseline is created. The encryption key that you select for the baseline backup is automatically applied to all associated backups.
When you select encrypted data for restore, Backup Exec verifies that encryption keys for the data are available in the database. If any of the keys are not available, Backup Exec prompts you to recreate the missing keys. If you delete the key after you schedule the job to run, the job fails.
If Backup Exec cannot locate an encryption key while a catalog job is running, Backup Exec sends an alert. You can then recreate the missing encryption key if you know the pass phrase.
Simplified Disaster Recovery supports the recovery of computers with previously encrypted backup sets. If you have Simplified Disaster Recovery backups that are encrypted during backup, the Recover This Computer wizard prompts you for the pass phrase of each encrypted backup set that is required to complete the recovery.
See Encryption key management.
Backup Exec has the following types of encryption keys:
Table: Types of encryption keys
Key type | Description |
---|---|
Common | Anyone can use the key to encrypt data during a backup job and to restore encrypted data. |
Restricted | Anyone can use the key to encrypt data during a backup job, but users other than the key owner must know the pass phrase. If a user other than the key owner tries to restore the encrypted data, Backup Exec prompts the user for the pass phrase. If you cannot supply the correct pass phrase for the key, you cannot restore the data. |
Encryption keys require a pass phrase, which is similar to a password. Pass phrases are usually longer than passwords and are comprised of several words or groups of text. A good pass phrase is between 8 and 128 characters. The minimum number of characters for 128-bit AES encryption is eight. The minimum number of characters for 256-bit AES encryption is 16. It is recommended that you use more than the minimum number of characters.
Note:
Hardware encryption that uses the T10 standard requires 256-bit AES. Backup Exec does not let you enable hardware encryption for a job unless it uses at least a 16-character pass phrase.
Also, a good pass phrase contains a combination of upper and lower case letters, numbers, and special characters. You should avoid using literary quotations in pass phrases.
A pass phrase can include only printable ASCII characters, which are characters 32 through 126. ASCII character 32 is the space character, which is entered using the space bar on the keyboard. ASCII characters 33 through 126 include the following:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ
[\]^_'abcdefghijklmnopqrstuvwxyz{|}~