How is backup encryption handled ?

  • 22 July 2021
  • 5 replies

Userlevel 1
Badge +7

Hi guys,
I’m struggeling with encryption in a mixed environment.

On the GlobalDedupePolicyCopy, I did not activate encryption.
on the Client Advanced Property I enable encryption
on the subClient Property I enable encryption on Network & Media.

executed Jobs are listed as ecryption enabled.

  • does this mean, that the backups have been encrypted ?
  • are the backups deduplicated against unencrypted backups within the same StoragePolicy ? (which might result in a mix of encrypted and unencrypted data for the same job)
  • Since encryption is defined in the GDP and I already have two DDB partitions per MediaAgent, do I have to deploy additional MediaAgents to host the dedicated encryption backups, in case I want to enable that on the Storage Policy ?

best regards


Best answer by MichaelCapon 22 July 2021, 13:19

View original

5 replies

Userlevel 6
Badge +14

Hello Klaus,

Can you confirm which Agent type this is for? - Usually (depending on Agent/Configuration) the data is Compressed, Deduplicated and then encrypted (where applicable).

Do you see any stats in the Agent logs for encryption?


From the “Jobs in Storage Policy Copies Report” you should be able to validate if he job is encrypted. ref:


Best Regards,


Userlevel 1
Badge +7

Hi @MichaelCapon ,
I’m using a wide range of agents.
Virtual Server Agents, multiple database types, NAS ….

I can see the jobs marked as encrypted in the JobsInStoragePolicyCopy report.

for the VirtualServerAgent, this is only available AFTER the first backup of a VM, because the VMs Client Ressource has to be encryption enabled as well to see the job as encrypted in the JobsInStoragePolicyCopy report.

this results in a procedure : backup a VM; modify VM client resource; delete first backupjob in all copies; redo an initial backup of that VM.
The settings added at the Virtualization Client (vCenter) are not automatically honored for the content (VMs).

and since I still think, that encryption is done after dedupe hash generation, the blocks might not be stored encrypted, if already stored unencrypted in the StoragePolicy through a non encrypted backup of another VM.

Best Regards

Userlevel 1
Badge +7

unfortunatly my answer was blocked due to content, I’m not aware of.
maybe it will be visible within the next 24hrs

Userlevel 7
Badge +23

@johanningk , your reply was set to pending.  I’m not sure why just yet, though I approved it.

edit: As I suspected after looking at your post, the word ‘hash’ was flagged….I removed that from the list of suspicious words as it has a valid meaning in IT :nerd:

Userlevel 7
Badge +23

@johanningk , following up on this (after the blocked reply) to see if you had any further questions.