Instructions
To explain how AES works with Networker , and NMM SQL backups consider the following.
There are two parts to AES encryption.
Server and client
For Server ; it supports AES always; only 1 thing changes on server that affects restores = that is =
datazone pass phrase
For client ; it also supports AES ; it needs 2 parts
1. to enable AES on the the backup;
That is accomplished with nsrsqlsv -f aes
when this -f aes is omitted; backup is not encrypted with aes restore then will work normally without any pass phrase.
2. to enable AES pass phrase on restore
That is accomplished with nsrsqlrc -e passphrase
IMPORTANT
-e passphrase is needed ONLY WHEN
the datazone pass phrase in Server has CHANGED from what was used in backup ;
for example when backup was made with pass1
and today the pass phrase changes to pass2
THEN client MUST use -e pass1 or it will FAIL.
However if the pass phrase today is the SAME as pass phrase used during
the Backup, the client is still able to restore the backup with using -e pass1
The server controls the pass phrase not the client.
The client must know what pass phrase to use on restore command if the original pass phrase has changed.
Example,
Server
pass phrase ; backup ; restore ; outcome
;=================================================
i) monday ; with -f aes ; without -e ; success because pass phrase is same
ii) changed to
tuesday ; ------------- ; without -e ; failed !! cannot restore because pass phrase today is tuesday
and backup was taken with pass phrase monday
iii) still
tuesday ; ---------------- ; with -e monday ; success ; because the backup was taken with pass phrase monday
and restore used -e monday
;=======================================
NOTE
How AES protects the backups.
AES protects the backups if the datazone pass phrase changes.
= one needs the old pass phrase to restore
AES protects the backups if a person tries to restore the backup from same media
using a different Networker server which does not have the pass phrase.
= the new Networker server wil not know the pass phrase from original server.
Networker client - for file system backups works same way
if backup was taken with aes and pass phrase = pass1
and server has changed it to pass2
then the client recover command can use -p pass1
to recover a backup with an older pass phrase
Affected Products
NetWorker Module for Microsoft