About encryption key management

When a user creates an encryption key, Backup Exec marks that key with an identifier based on the logged-on user’s security identifier. The person who creates the key becomes the owner of the key.

Backup Exec stores the keys in the Backup Exec database. However, Backup Exec does not store the pass phrases for the keys. The owner of each key is responsible for remembering the pass phrase for the key.

To protect your keys, Symantec recommends the following:

  • Maintain a written log of the pass phrases. Keep the log in a safe place in a separate physical location from the encrypted backup sets.

  • Back up the Backup Exec database. The database keeps a record of the keys.

Caution:

If you do not have a backup of the Backup Exec database and do not remember your pass phrases, you cannot restore data from the encrypted media. In addition, Symantec cannot restore encrypted data in this situation.

A key that is created on a media server is specific to that media server. You cannot move keys between media servers. However, you can create new keys on a different media server by using existing pass phrases. A pass phrase always generates the same key. In addition, if you delete a key accidentally, you can recreate it by using the pass phrase.

If a Backup Exec database becomes corrupted on a media server and is replaced by a new database, you must manually recreate all of the encryption keys that were stored on the original database.

If you move a database from one media server to another media server, the encryption keys remain intact as long as the new media server meets the following criteria:

  • Has the same user accounts as the original media server.

  • Is in the same domain as the original media server.

More Information

Encryption keys

About pass phrases in encryption

About deleting an encryption key

Replacing an encryption key

Deleting an encryption key

About encryption key management