BakBone Blog

Dawn renee Campbell

You have the NetVault: Backup Encryption Plugin installed and have selected the algorithm you want to use. Now you are wondering if you should encrypt your primary backups, your secondary copy backups, or maybe you are not even sure of the difference between a primary backup and a secondary backup.

In NetVault: Backup 8.5 (NVBU 8.5), a backup job can be split into two distinct phases: primary backup and secondary copy. The primary backup is the back up of the data stream to the targeted backup device, while the secondary copy is a duplication or data copy of the primary backup to a different backup device, which is typically for offsite protection.

Unencrypted Primary Backup vs. Encrypted Secondary Copy Backup

Prior to NVBU 8.5, your only option was to encrypt both the primary backups and the secondary copy backups, but starting with NVBU 8.5, you can encrypt your primary backups, just the secondary copy backups or both your primary and secondary copy backups. Understanding the difference between the primary backups and secondary backups will help you choose the best strategy for your environment.

Typically the primary backup is performed to local disk-based backup devices such as NetVault: SmartDisk (NVSD) devices, virtual tape library (VTL) or shared virtual tape library (SVTL) to enable faster restores while the secondary copies are targeted to remote disk-based backup devices or physical tape libraries whose tapes are stored offsite for disaster recovery purposes.

Security requirements will typically dictate whether both the primary backups and the secondary copy backups require encryption. For example, if security requirements only require backups that leave the corporate network (such as those stored on physical tapes stored in a remote location) require encryption, then only encrypting the secondary copy backups that target the physical tape library is required. However, if security requirements dictate that data must be encrypted while it transfers across the network and/or while it is stored on a disk-based backup device, even though the disk-based backup device is located within the corporate network, then encrypting both the primary backup and secondary copy backup is required.

Encrypted data does not deduplicate well; therefore, encrypting only the secondary copy backup is beneficial when targeting primary backups to NVSD devices that have the deduplication option enabled. This enables users to take advantage of both encryption and deduplication by deduplicating the primary backup and encrypting the secondary copy.

In my next blog, we will discuss the difference between encrypting all your backups and using job-level encryption.

Related links:

Selecting an Encryption Algorithm to use with NetVault: Backup