Solved

Can DDB Backups be encrypted?

  • 1 March 2022
  • 7 replies
  • 197 views

Badge +1

Hello,

 

I am enabling encryption for my backup data per new requirement by enabling it through the storage policy copy encryption setting.  After subsequent backup jobs have completed I have verified encryption to the backup data is set from the storage policy copy report.  I do not see an indication that the DDB backups are encrypted.    Do they need to be encrypted?  This is a requirement by our auditors and they will see this in the report like I did and might ask me why the DDB backups are excluded.

Thanks.

icon

Best answer by Mike Struening RETIRED 3 March 2022, 18:06

View original

If you have a question or comment, please create a topic

7 replies

Userlevel 7
Badge +23

@JoeT , I don’t know that they can’t be encrypted, though you likely have to enable this at the client level (treating the Media Agent as a client in this case).

Can you see if the MA as a client shows Encryption enabled?

Badge +1

Hi Mike,

Thanks for the quick response.  Yes I do have the MA setup with encryption using the same algorithm as it is in the storage policy.   I have been testing individual MAs and clients this way enabling them first before enabling encryption through the storage policy.  I can’t remember seeing whether the DDB backup was indicating as encrypted from the storage policy report when I only had the MA encryption set.  I do have another MA that is not currently set.  I will set that one at the MA level only and see if it encrypts the DDB backup.

Thanks.

Userlevel 3
Badge +8

If the requirement is only for the backups to be encrypted, lets just say that DDB got into the wrong hands, there’s no “data” so-to-say that’s in the DDB which is doing block-tracking in a sense, that someone could grab and get a hold of your files and folders

Userlevel 7
Badge +23

@Hyder is 100% correct.  The DDB is a list of block IDs, references per ID, and any file we can delete.

It is absolutely useless in any other context.

Userlevel 3
Badge +8

@Mike Struening and still the case where its not required for restore purposes for DR scenarios as well correct?

Badge +1

Thanks everyone as I understand there is no need to encrypt the DDB backup data because in no way contains any company data, it is just pointers to the blocks stored in the disk library that contain the company data which is encrypted and deduplicated.

Userlevel 7
Badge +23

That’s right, @JoeT .  And to confirm what my dear friend @Hyder said, the DDB is only needed for backups and data aging, not restores.