Encryption and Security

[StardogChampion]

 

 

I was just wondering about encryption "over the wire" during backups not via internet (standard LAN-based backup)? I know the catalog sets are encrpted when they get to the server, but what about from the client during the transfer?

 

 

 

Also...someone cornered me about passwords; how are they stored on the server and on the client and are they also encrypted?

 

 

 

I've got a few people that had too much coffee this morning and they seem to be drawn only to my office.

 

 

 

Thanks....

[AmyJ]

Here's the scoop:

 

 

 

RETROSPECT SECURITY (MACINTOSH)

 

 

 

Retrospect and its client software provide measures to maintain data security during and after the backup process. There are four areas of security within Retrospect and its client software:

 

 

 

- The Retrospect application password

 

- Backup Set password protection and encryption

 

- Client security codes

 

- Network (Link) Encryption

 

 

 

Retrospect Application Password

 

 

 

This measure prevents unauthorized personnel from using the Retrospect application. It requires that the user type in a password when Retrospect launches or when the user tries to halt an operation in unattended mode.

 

 

 

The application password is stored in an encrypted format in the Retro.Config configuration file, the same file that stores passwords for client computers and protected Backup Sets. Though someone could gain access to Retrospect by moving or deleting the configuration file, this also eliminates access to protected clients and Backup Sets. If you want to prevent access to the System Folder and the configuration file from the Finder, you should use a hard disk security program.

 

 

 

Backup Set Encryption

 

 

 

The following dialog appears when securing a new Backup Set.

 

 

 

Password Only (no encryption)

 

The data itself is unchanged, but a password is required whenever the Backup Set is accessed. In versions of Retrospect earlier than 3.0 rebuilding the Backup Set’s catalog from the media can circumvent this, so use a recent version for more security.

 

 

 

SimpleCrypt (fast)

 

SimpleCrypt uses a proprietary Vernam cipher with cipher-block chaining and was designed to be both fast and secure. It provides commercial-level security without appreciably slowing the backup process on all but the slowest computers. SimpleCrypt is more than adequate for the vast majority of users' requirements.

 

 

 

DES (more secure)

 

DES (Data Encryption Standard) is an advanced form of data encryption that achieves bank-level security. The effect on backup speed is entirely dependent on the processor, but may take three to four times as long as an equivalent backup to a Backup Set that is not encrypted. Only the most security-conscious organizations require this level of data encryption.

 

 

 

Saving the Backup Set Password

 

Retrospect can store the Backup Set password for you so you do not always have to enter it to use the Backup Set. Go to Configure>Backup Sets, select the desired Backup Set, click Configure, and then click the Options tab.

 

 

 

 

 

 

 

If the Password options are dimmed, the Backup Set was not secured when it was created. You can't add security to an unsecured Backup Set.

 

 

 

Ask for any access

 

Retrospect will prompt the user to enter the Backup Set's password, preventing unattended operation. This is the preferable setting if many people have access to the backup computer and the backups are done through Immediate>Backup. This asks for the password only once after Retrospect is opened (until it is quit and launched again).

 

 

 

Save for scripted access (default)

 

The password is not required for scheduled executions of scripts, but Retrospect still requires that the user enter the password for all other uses of the Backup Set. This includes Backup Set configuration and any action involving a Browser of that Backup Set, such as immediate backup and immediate restore. This asks for the password only once after Retrospect is opened (until it is quit and launched again).

 

 

 

Save for any access

 

You will never be asked for the password unless the configuration file is moved, deleted, or lost.

 

 

 

Client Security Code

 

 

 

You, as the backup administrator, assign client security codes when installing new clients. With Retrospect version 3.0 and later you can add or change a security code from the client configuration window.

 

 

 

When configuring the client you can choose to use no code, the same code for all client computers, or a different code for each client. The codes are stored both in the configuration file and in the client software itself. If the configuration file is removed, you must provide the client security code before each client can be logged in again.

 

 

 

It is important for backup administrators to keep records of all passwords, including security codes. If the configuration file is removed and the security codes are lost, the administrator must re-install all clients with the original software.

 

 

 

Network (Link) Encryption

 

 

 

This option ensures that someone cannot access data sent across the network with a network-monitoring tool. This uses the SimpleCrypt encryption method and slows performance by about 10%. Link encryption can be implemented only in conjunction with a security code.

 

 

 

To enable link encryption the client must be logged in. For a client that is not logged in, first go to Configure>Clients then click Network to show the clients on the network window. Select the client and click Log In, and give the security code.

 

 

 

To enable link encryption for a logged-in client, go to Configure>Clients, select a client from the client database, then click Configure. Retrospect takes you to its client configuration window. Click the Link Encryption checkbox and click OK.

 

 

 

Additional Security

 

 

 

If you desire a higher level of security, you should rely on other measures such as physical network/media/machine security and local encryption of the data on the original hard drive.

 

 

 

 

 

Copyright © 2000 Dantz Development Corporation. Although reasonable care has been taken to ensure its accuracy, this information is supplied without warranty.

 

 

[heather]

 

 

Can you point me to a source of information which would explain how to password protect media? The media is AIT tapes and there are 4 tapes to a backup set.

 

Thanks, Heather.

 

I've partially quoted some previous information below:

 

 

 

Here's the scoop:

 

RETROSPECT SECURITY (MACINTOSH)

 

Retrospect and its client software provide measures to maintain data security during and after the backup process. There are four areas of security within Retrospect and its client software:

 

 

 

- The Retrospect application password

 

- Backup Set password protection and encryption

 

- Client security codes

 

- Network (Link) Encryption

 

 

 

Additional Security

 

 

 

If you desire a higher level of security, you should rely on other measures such as physical network/media/machine security and local encryption of the data on the original hard drive.

 

 

 

 

 

Copyright © 2000 Dantz Development Corporation. Although reasonable care has been taken to ensure its accuracy, this information is supplied without warranty.