Selecting an Encryption Algorithm to use with NetVault: Backup
Posted by Dawn renee Campbell on January 11, 2010
Dawn renee Campbell
When you are getting ready to deploy NetVault: Backup’s Encryption Plugin to encrypt your backups to meet regulatory or compliance requirements, you need to decide which of the available algorithms to use. To select the appropriate encryption algorithm you need to first understand the different algorithm categories and algorithms that are now available. NetVault: Backup’s available encryption algorithms are divided into two categories: Standard Algorithms and Advanced Algorithms. Each category is detailed below.
Standard Encryption Algorithms
NVBU Encryption Plugin’s Standard Algorithms include the CAST-128 algorithm. CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size between 40 to 128 bit but only in 8-bit increments. For more information on CAST-128, visit: http://en.wikipedia.org/wiki/CAST-128.
The CAST-128 algorithm was previously the only available encryption algorithm and is now available as part of the NVBU Encryption Plugin’s Standard Algorithm Option. The CAST-128 algorithm is available for evaluations.
Advanced Encryption Algorithms
The NVBU Encryption Plugin’s Advanced Algorithms currently include the CAST-256 and AES-256 algorithms.
CAST-256 uses the same elements as CAST-128, but is adapted for a block size of 128 bits — twice the size of its 64-bit predecessor. Acceptable key sizes are 128, 160, 192, 224 or 256 bits. CAST-256 is composed of 48 rounds, sometimes described as 12 “quad-rounds,” arranged in a generalized Feistel network. For more information on CAST-256, visit: http://en.wikipedia.org/wiki/CAST-256
Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256. Each AES cipher has a 128-bit block size with key sizes of 128, 192 and 256 bits, respectively. For more information on AES, visit: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
The CAST-256 and AES-256 algorithms are available as part of the NVBU Encryption Plugin’s Advanced Algorithm Option. Unlike the Standard Algorithm Option, the algorithms available as part of the Advanced Algorithm Option are not available for evaluation. The CAST-256 and AES-256 are available as separate NVBU .npk files and are only usable when a permanent license key for the NVBU Encryption Plugin Advanced Algorithm Option is installed.
When configuring the Encryption Plugin on each the NVBU Server or Heterogeneous Client, the encryption algorithm is specified. While each NVBU Server or heterogeneous client can utilize a different encryption algorithm, all backups from a particular NVBU Server or heterogeneous client will utilize the same algorithm.
The same encryption algorithm that was used during backup must be used during restores. It is possible to use a different algorithm from this point forward than has previously been used. However, when restoring backups that utilized the previous algorithm, the NVBU Server or heterogeneous client must be configured to specify the algorithm utilized by the backup in order for the restore to complete successfully. For example, if previous backups utilized the CAST-128 algorithm while current backups are utilizing the AES-256 algorithm, the NVBU Encryption Plugin must be configured on the NVBU Server or heterogeneous client to utilize the CAST-128 algorithm when restoring a backup that was taken using the CAST-128 backup, otherwise the restore will fail.
In my next blog, we will explore the difference between encrypting primary backups vs. secondary backups.
