{"id":253,"date":"2009-03-22T17:03:34","date_gmt":"2009-03-22T06:03:34","guid":{"rendered":"http:\/\/nsrd.wordpress.com\/?p=253"},"modified":"2018-12-12T16:25:29","modified_gmt":"2018-12-12T06:25:29","slug":"basics-using-datazone-encryption-with-networker","status":"publish","type":"post","link":"https:\/\/nsrd.info\/blog\/2009\/03\/22\/basics-using-datazone-encryption-with-networker\/","title":{"rendered":"Basics – Using datazone encryption with NetWorker"},"content":{"rendered":"

I’m not fond of software encryption (or compression, for that matter). Particularly in a 24×7 enterprise environment, clients (i.e., production servers) have better things to be doing than doing on-the-fly software encryption or compression. In these environments, hardware encryption routers should be the product of choice for achieving totally secure backups. Such devices also have advantages in terms of key management \u2013 much more flexible, scalable and appropriate for role based data access.<\/p>\n

That being said, in smaller environments, or environments where servers are relatively idle overnight, NetWorker’s datazone encryption can be sufficient to achieve a reasonable modicum of backup protection with minimum effort \u2013 and most importantly, cost.<\/p>\n

To get started using NetWorker datazone encryption, you first need to assign a pass phrase. This is done in the NetWorker server properties (typically accessed within NMC):<\/p>\n

\"datazone-encryption\"With the pass phrase in place, you can then configure directives within NetWorker to make use of AES 256 bit encryption. However! As soon as you turn encryption on, you lose all<\/em> potential for hardware based compression for your media. Why? Quite simply, compression<\/em> is about finding patterns in data and reducing all the matching patterns to a single reference point; however, encryption<\/em> is all about eliminating patterns, making the data appear completely random.<\/p>\n

Thus, if you want to still get some measure of compression, you should, when using this method, employ software based compression in your directive as well.<\/p>\n

Thus, a base directive might look like the following:<\/p>\n

<< \/ >>\n+compressasm: .\n+aes: .<\/pre>\n
This will apply compression first to all files encountered, then once the file has been compressed, it will be encrypted. A side benefit of this is that by compressing first, you reduce the amount of data to be encrypted*.<\/p>\n
So long as the datazone pass phrase is stored in the server, encryption will occur, and no password will be required to recover the data. Remember, this style of encryption, using a single pass-phrase, isn’t<\/em> about being able to restrict whom within the datazone can recover the data, but instead it’s about keeping the data stored on-tape (which is potentially off-site, or otherwise at higher risk of theft), from being recovered.<\/p>\n
[Edit, 2009-08-15]<\/strong><\/p>\n
It’s been pointed out to me that you can’t compress + encrypt at the client side. Indeed, I’ve now found the part in the administration guide that explicitly says this. What is extremely disappointing<\/em> about this is that NetWorker actually doesn’t warn<\/em> you that it’s not going to compress + encrypt! To me, that’s a security issue.<\/p>\n
So, for the examples above, forget about enabling client side compression as well as encryption – you can have one or the other, but not both.<\/p>\n

\n* In the same way that ice-cream that’s 99% fat free, but 87% sugar is a “benefit”.<\/p>\n","protected":false},"excerpt":{"rendered":"
I’m not fond of software encryption (or compression, for that matter). Particularly in a 24×7 enterprise environment, clients (i.e., production…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[6,16],"tags":[103,1243,1249,1254],"class_list":["post-253","post","type-post","status-publish","format-standard","hentry","category-basics","category-networker","tag-aes","tag-basics","tag-networker","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pKpIN-45","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/comments?post=253"}],"version-history":[{"count":1,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/253\/revisions"}],"predecessor-version":[{"id":7676,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/253\/revisions\/7676"}],"wp:attachment":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media?parent=253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/categories?post=253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/tags?post=253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}