h_fahim
asked on
what if xstaff who know the passphrase and get on hold to one of the tapes can restore it on a diffrent location
what if xstaff who know the passphrase and get on hold to one of the tapes can restore it on a diffrent location. i mean doe the encrption key stored in a local drive and had to be backup first to the server before restoring the tapes
it is a risk if the restoration depend only on knowing the passphrass without dependend on key that are daved on local drive, as i mentioned if any one who left the foundation get on hold of any old tapes he can restore it to a server with backup exec insatalled as long as he know the old passpharse that they use to encrypt these tapes or a key had to be backup first on this server to validate the passphrase
it is a risk if the restoration depend only on knowing the passphrass without dependend on key that are daved on local drive, as i mentioned if any one who left the foundation get on hold of any old tapes he can restore it to a server with backup exec insatalled as long as he know the old passpharse that they use to encrypt these tapes or a key had to be backup first on this server to validate the passphrase
ASKER
thank you
does this means that the passphrase ( encrytion key) are not stored in any location on the local drive
how this passphrase is validated on diffrent location where backup exec are being installed
does this means that the passphrase ( encrytion key) are not stored in any location on the local drive
how this passphrase is validated on diffrent location where backup exec are being installed
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
This is why you still need to protect the keys/passphrase, and the physical media.
A solution like HP's Encryption Kit for the MSL libraries may be a step more secure, because you have to physically have the encryption kit token and its password, plus a tape library, to be able to decrypt the tapes.
Using the backup application to manage the keys also has the issue that anyone who has access to the backup application can change the properties of a backup job to not use encryption, and after the job starts, change it back. Unless you pay **very close** attention to your logs, there will be only one person in the company who knows that *this* tape is not encrypted... some kind of hybrid SW/HW solution is much, much stronger (again, see the encryption kit for HP MSL libraries at http://www.hp.com/go/msl )