According to the manual, yes. In practice, not really.
For versions 7.3 and 7.4 you can set up a 256 bit symmetric encryption
key on the server by entering a pass phrase.
Any saveset that gets backed up using the aes directive is encrypted
with that key.
Data backed up via a non file-based module such as exchange or oracle,
or the SYSTEM STATE or ASR backup is not encrypted therefore, as
directives don't come into it. You cant compress and encrypt together
either because compression is selected by a directive as well.
The encryption is useful for securing tapes in transit, but the key is
difficult to obscure, and it ends up in plaintext logs all over the
place usually - I don't know what the key exchange method is between the
client and the server but I suspect it's probably capable of being
picked up off the wire in plaintext.
There isn't any concept of protecting a single client's data from the
backup administrators, or of integrating an HSM to protect the key, or
for that matter having multiple keys, or being able to expire data by
forgetting keys.
I've been reviewing tape encryption - there are several products on the
market including tape drives that do it themselves, I do know that Decru
Dataforts encrypt data just before it gets written onto the tapes, and
can recognise NetWorker labels and select from multiple keys when
encrypting based on the pool... It doesn't solve the client-side
encryption question, but it does let you encrypt the tapes effectively
in transit and you can expire data by dropping keys.
But hey, even though NetWorker can't effectively do encryption the GUI
can operate in French German or Chinese now, which is clearly much more
important than adding useful features for complying with SOX.
-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On
Behalf Of fredsharky
Sent: Saturday, 14 July 2007 5:50 AM
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: [Networker] Networker Encryption ???
Does EMC have it and how does it work, xorry for the newb question.
+----------------------------------------------------------------------
|This was sent by fwantl AT acxiom DOT com via Backup Central.
|Forward SPAM to abuse AT backupcentral DOT com.
+----------------------------------------------------------------------
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
NOTICE
This e-mail and any attachments are confidential and may contain copyright
material of Macquarie Bank or third parties. If you are not the intended
recipient of this email you should not read, print, re-transmit, store or act
in reliance on this e-mail or any attachments, and should destroy all copies of
them. Macquarie Bank does not guarantee the integrity of any emails or any
attached files. The views or opinions expressed are the author's own and may
not reflect the views or opinions of Macquarie Bank.
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
