If you are planning to encrypt your backups with NetVault, then you are probably going to want to look into the fundamental aspects of the encryption algorithms used by NetVault, and understand which algorithm is best suited for your data and if deemed as a requirement. Encryption/decryption processes use resources on their respective machines, therefore, backups should only be encrypted when security requirements outweigh the impact to performance, backup windows, and restore times.
NetVault Backup has two categories for Encryption, Standard and Advanced, and these are explained in more detail below.
NetVault Backup Plug‑in for Standard Encryption (Plug‑in for Standard Encryption): The Plug‑in for Standard Encryption supports CAST-128 algorithm to protect your data and meet the regulatory requirements.
CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 to 128 bits, but only in 8-bit increments.
NetVault Backup Plug‑in for Advanced Encryption (Plug‑in for Advanced Encryption): The Plug‑in for Advanced Encryption supports AES-256 and CAST-256 algorithms to protect your data and meet the regulatory requirements.
NOTE: The CAST-128 and CAST-256 encryption algorithms do not comply with the requirements of the United States Federal Information Processing Standard (FIPS). These algorithms are provided for the restoration of legacy data. For FIPS compliance, use the AES-256 algorithm.
When installed on the NetVault Backup Client, these plug-ins encrypt and transfer data across the network to the backup device, where the data remains encrypted until restored to the client. If encryption is only required for secondary storage, job-level encryption offers the choice of encrypting only the secondary copy while the primary backup remains unencrypted to shrink the backup window. When using disk-based storage devices, job‑level deduplication allows you to separate deduplicated from nondeduplicated unencrypted data for optimal deduplication ratios and performance.
The Plug‑in for Standard Encryption and the Plug‑in for Advanced Encryption are installed and licensed separately. For a list of NetVault Backup Plug-ins that are incompatible with the Plug‑in for Standard Encryption and Plug‑in for Standard Encryption, see the respective release notes.
NOTE: The NetVault Backup encryption architecture only supports the Electronic Code Book (ECB) mode of operation. This support means that every data block is encrypted individually. If two or more consecutive blocks contain identical data, the encrypted forms of these blocks are also identical.
The backup encryption and decryption processes are performed by the plug-in installed on the NetVault Backup Server or Client. These processes use resources on the machine. The encryption process lengthens the time it takes to perform backups, while the decryption process lengthens the time it takes to perform restores. The impact to the performance of the client, backup window, and restore time should be considered when deciding which backups must be encrypted. In summary, backups should only be encrypted when security requirements outweigh the impact to performance, backup windows, and restore times.
Lastly, there are some plug-ins that are incompatible with the NetVault Encryption Plugin, these are highlighted below: