Discussions related to exporting backups to tape and backing up directly to tape.
Post Reply
Vejete
Technology Partner
Posts: 65
Liked: 2 times
Joined: Apr 06, 2017 6:23 pm
Full Name: Jim Turner
Location: Edmond, OK
Contact:

Job vs. Media Pool Encryption

Post by Vejete »

Greetings! I've searched the forums but did not turn up an answer, and I'd like a sanity check if possible.

If I have encryption enabled within a backup copy job and also as a property of the tape media pool I'm using for that job, I get hardware compression at the tape drive only, right? I'm assuming that in this scenario, the job option for (software) encryption is ignored.

Thanks for your time and advice.
=====
Jim Turner, VMCE 2020
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
foggy
Veeam Software
Posts: 21182
Liked: 2163 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Job vs. Media Pool Encryption

Post by foggy »

Hi Jim, if encryption is enabled both in the backup copy job and media pool, data on tape will be encrypted twice. Hardware encryption, however, has a higher priority, Veeam B&R will disable its software encryption if hardware encryption is enabled for the tape device.
Vejete
Technology Partner
Posts: 65
Liked: 2 times
Joined: Apr 06, 2017 6:23 pm
Full Name: Jim Turner
Location: Edmond, OK
Contact:

Re: Job vs. Media Pool Encryption

Post by Vejete »

Thanks foggy, but I thought it would only be encrypted twice if the original backup job had encrypted the backup file on disk. If you then copy that (encrypted) backup file to tape with encryption enabled, yes, it will be doubly encrypted.

Let me reword my original question.
1. Backup file on disk has no encryption.
2. Backup COPY job has encryption enabled.
3. Tape media pool being used by the copy job also has encryption enabled.
4. In this case, I presume that Veeam software encryption at the job level will be ignored because hardware compression at the tape drive takes priority.

Correct or not?
=====
Jim Turner, VMCE 2020
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
veremin
Product Manager
Posts: 20736
Liked: 2403 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Job vs. Media Pool Encryption

Post by veremin »

Nope, if backup copy job with encryption enabled is a source pf backup to tape job that is pointed to media pool with encryption enabled, a data will be encrypted twice.
Vejete
Technology Partner
Posts: 65
Liked: 2 times
Joined: Apr 06, 2017 6:23 pm
Full Name: Jim Turner
Location: Edmond, OK
Contact:

Re: Job vs. Media Pool Encryption

Post by Vejete »

Okay, I think I get it now.

Image

The highlighted notation above is relevant only to the tape drive and media pool and will have no effect on the job that uses the media pool. So for the media pool (and drives) alone, what the notation is saying is that if the tape drive is incapable of providing hardware-based encryption, Veeam will step in and provide its own software encryption at (I presume) the tape server. But as you all have stated, we would be double-encrypting data because the stream was already encrypted at the source by the backup copy job since we enabled encryption in the advanced settings of the backup copy job.

The wording is very important here, and I think this is one of the things that gave me grief on the VMCE exam.

Thank you all kindly for your guidance and feedback. Much appreciated!
=====
Jim Turner, VMCE 2020
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
veremin
Product Manager
Posts: 20736
Liked: 2403 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Job vs. Media Pool Encryption

Post by veremin »

what the notation is saying is that if the tape drive is incapable of providing hardware-based encryption, Veeam will step in and provide its own software encryption at (I presume) the tape server
Correct.
Vejete
Technology Partner
Posts: 65
Liked: 2 times
Joined: Apr 06, 2017 6:23 pm
Full Name: Jim Turner
Location: Edmond, OK
Contact:

Re: Job vs. Media Pool Encryption

Post by Vejete »

Spending some time in a Veeam lab now, and I believe I've discovered a fundamental misunderstanding on my part.

When I create a media pool, there is as we see an option to enable encryption and provide a password.

Image

Any copy to tape job that writes to media in that pool will result in the copy on tape being encrypted - either by tape drive HW encryption or Veeam software encryption if the drive is incapable of HW encryption. I'm good there.

My eureka moment came when I went back and looked at every aspect of a copy to tape job. Know what I didn't find? Any place in the tape job to enable encryption and set a password.

So in essence, my original question was faulty. The only encryption option in the whole copy to tape process flow lies within the properties of the target media pool being used.

Now, referring back to one of the previous answers, yes, I do understand that:
  1. IF the source vbk was encrypted by a backup (or backup copy) job,
  2. AND the subsequent copy to tape job writes that encrypted vbk to a media pool with encryption enabled,
  3. THEN you will need both the tape media password and the backup job password to restore from tape because the data on tape is doubly encrypted.
Thank you everyone for your kind assistance. I apologize for my noob questions. Even though I have 20 years of BURA experience (DP, NBU, TSM, CV, etc.), I've so little stick time with Veeam that it's taking a bit to ferret-out features and how they integrate.
=====
Jim Turner, VMCE 2020
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
haslund
Veeam Software
Posts: 903
Liked: 163 times
Joined: Feb 16, 2012 7:35 am
Full Name: Rasmus Haslund
Location: Denmark
Contact:

Re: Job vs. Media Pool Encryption

Post by haslund »

Notice how the first screen is of a Backup Server connected to Veeam Backup Enterprise Manager and the second one is not.
Rasmus Haslund | Twitter: @haslund | Blog: https://rasmushaslund.com
Vejete
Technology Partner
Posts: 65
Liked: 2 times
Joined: Apr 06, 2017 6:23 pm
Full Name: Jim Turner
Location: Edmond, OK
Contact:

Re: Job vs. Media Pool Encryption

Post by Vejete »

Yes, I pulled the screenshots from two different environments days apart. The presence or absence of Enterprise Manager was incidental and not germane to the question at hand. Nice catch, though. :-)
=====
Jim Turner, VMCE 2020
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests