Bucky Backup - Encryption

This document describes encryption options for the Bucky Backup service.

SSL Transport Encryption

Starting with Spectrum Protect client version 7.1.8 and 8.1.4 SSL transport encryption is used by default and is required. The first time the client connects to the server a certificate is exchanged and any further communication requires SSL. This can prevent clients from connecting when installed on a new machine (client upgrades are not affected) after a hardware upgrade or a disaster recovery situation. In order to connect, you'll need intervention from a Bucky Backup admin. Contact the Help Desk or email bbsupport@doit.wisc.edu.

We recommend that you upgrade your client to gain support for SSL transport encryption.

Encryption At Rest

Bucky Backup is now using encrypted disk storage pools. Starting in 2019, any new data backed up to Bucky Backup Enterprise and Lite is being stored in encrypted storage pools. Some older data may not be encrypted yet, but over time all data will be.

Encrypting Your Files

Bucky Backup also supports further encrypting backup data at the file level. This method is not enabled by default, so additional configuration is required. You can encrypt some or all of your data down to file level granularity. Encryption at rest generally covers most security requirements, but encrypting the files themselves can provide an additional barrier for highly sensitive data.

Once configured, the Bucky Backup client encrypts the data you have specified in the client before it hits the network. The data will be encrypted end-to-end, meaning both during transport over the network and while at rest on disk or tape. The Spectrum Protect client uses keys to encrypt your data. Unlike node passwords, encryption keys cannot be "reset", so if you forget or lose your key, your data is not retrievable (see below).

There are three methods available for your key storage:

Which Type of Key Encryption to Use:

How to Use Key Encryption:

Tips

INCLUDE.encrypt Examples

For more information on include/exclude statements, please see: Bucky Backup - Includes and Excludes in TSM