Understanding the Encryption Algorithms used by the NetVault Plug-in(s) for Encryption

If you are planning to encrypt your backups with NetVault, then you are probably going to want to look into the fundamental aspects of the encryption algorithms used by NetVault, and understand which algorithm is best suited for your data and if deemed as a requirement. Encryption/decryption processes use resources on their respective machines, therefore, backups should only be encrypted when security requirements outweigh the impact to performance, backup windows, and restore times.

NetVault Backup has two categories for Encryption, Standard and Advanced, and these are explained in more detail below.

NetVault Backup Plug‑in for Standard Encryption (Plug‑in for Standard Encryption): The Plug‑in for Standard Encryption supports CAST-128 algorithm to protect your data and meet the regulatory requirements.

CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 to 128 bits, but only in 8-bit increments. 

NetVault Backup Plug‑in for Advanced Encryption (Plug‑in for Advanced Encryption): The Plug‑in for Advanced Encryption supports AES-256 and CAST-256 algorithms to protect your data and meet the regulatory requirements.

  • CAST-256: CAST-256 uses the same elements as CAST-128, but it is adapted for a block size of 128 bits — twice the size of its 64-bit predecessor. Acceptable key sizes are 128, 160, 192, 224 and 256 bits. CAST-256 is composed of 48 rounds, sometimes described as 12 “quad-rounds”, arranged in a generalized Feistel network.
  • AES-256: Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard consists of three block ciphers, AES-128, AES-192, and AES-256. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively.


 NOTE: The CAST-128 and CAST-256 encryption algorithms do not comply with the requirements of the United States Federal Information Processing Standard (FIPS). These algorithms are provided for the restoration of legacy data. For FIPS compliance, use the AES-256 algorithm.


When installed on the NetVault Backup Client, these plug-ins encrypt and transfer data across the network to the backup device, where the data remains encrypted until restored to the client. If encryption is only required for secondary storage, job-level encryption offers the choice of encrypting only the secondary copy while the primary backup remains unencrypted to shrink the backup window. When using disk-based storage devices, job‑level deduplication allows you to separate deduplicated from nondeduplicated unencrypted data for optimal deduplication ratios and performance.

The Plug‑in for Standard Encryption and the Plug‑in for Advanced Encryption are installed and licensed separately. For a list of NetVault Backup Plug-ins that are incompatible with the Plug‑in for Standard Encryption and Plug‑in for Standard Encryption, see the respective release notes.


NOTE: The NetVault Backup encryption architecture only supports the Electronic Code Book (ECB) mode of operation. This support means that every data block is encrypted individually. If two or more consecutive blocks contain identical data, the encrypted forms of these blocks are also identical.


The backup encryption and decryption processes are performed by the plug-in installed on the NetVault Backup Server or Client. These processes use resources on the machine. The encryption process lengthens the time it takes to perform backups, while the decryption process lengthens the time it takes to perform restores. The impact to the performance of the client, backup window, and restore time should be considered when deciding which backups must be encrypted. In summary, backups should only be encrypted when security requirements outweigh the impact to performance, backup windows, and restore times.

Lastly, there are some plug-ins that are incompatible with the NetVault Encryption Plugin, these are highlighted below:

  • NetVault Backup Plug-in for Consolidation
  • NetVault Backup Plug-in for NDMP
  • NetVault Backup Plug-in for SnapMirror to Tape
  • NetVault Backup Plug-in for Informix
  • NetVault Backup Plug-in for Teradata
  • NetVault Backup Plug-in for NetWare: If you enable encryption for a backup, the saveset header indicates that the backup is encrypted, and when you try to restore the data, the plug-in requests for the encryption key. However, the saveset does not contain any encrypted data.
  • NetVault Bare Metal Recovery Plug-ins:
    - Plug-in Offline Client ignores the encryption settings as the client is taken offline for backup.
    - Plug-in Live Client cannot recover encrypted backups.
About the Author
I help our customers solve complex problems with the NetVault Backup Software. I enjoy engaging with our customers and learning their environments so I can provide the best possible support to them. I...