Link to home
Create AccountLog in
Avatar of h_fahim
h_fahim

asked on

what if xstaff who know the passphrase and get on hold to one of the tapes can restore it on a diffrent location

what if xstaff who know the passphrase and get on hold to one of the tapes can restore it on a diffrent location. i mean doe the encrption key stored in a local drive and had to be backup first to the server before restoring the tapes

it is a risk if the restoration depend only on knowing the passphrass without dependend on key that are daved on local drive, as i mentioned if any one who left the foundation get on hold of any old tapes he can restore it to a server with backup exec insatalled  as long as he know the old passpharse that they use to encrypt these tapes or a key had to be backup first on this server to validate the passphrase

 
Avatar of Thomas Rush
Thomas Rush
Flag of United States of America image

If you're using the backup application to manage (generate and store) the encryption keys, than *anyone* who knows the key or passphrase (depending on how the key was created) and has that backup application can decrypt the data on the tape.

This is why you still need to protect the keys/passphrase, and the physical media.

A solution like HP's Encryption Kit for the MSL libraries may be a step more secure, because you have to physically have the encryption kit token and its password, plus a tape library, to be able to decrypt the tapes.

Using the backup application to manage the keys also has the issue that anyone who has access to the backup application can change the properties of a backup job to not use encryption, and after the job starts, change it back.    Unless you pay **very close** attention to your logs, there will be only one person in the company who knows that *this* tape is not encrypted... some kind of hybrid SW/HW solution is much, much stronger (again, see the encryption kit for HP MSL libraries at http://www.hp.com/go/msl )
Avatar of h_fahim
h_fahim

ASKER

thank you

does this means that the passphrase ( encrytion key) are not stored in any location on the local drive

how this passphrase is validated on diffrent location where backup exec are being installed
ASKER CERTIFIED SOLUTION
Avatar of Thomas Rush
Thomas Rush
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer