Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to do tape encryption using DPM

715 views
Skip to first unread message

Harsh Mittal

unread,
Jul 17, 2007, 10:28:18 AM7/17/07
to
What Are Certificates? [v2]
Introduction
Digital certificates are electronic credentials that are used to certify the
online identities of individuals, computers, and other entities on a
network. Digital certificates function similarly to identification cards
such as passports and drivers' licenses. They are issued by certification
authorities (CAs) that must validate the identity of the certificate holder,
both before the certificate is issued and when the certificate is used.
Common uses include business scenarios requiring authentication, encryption,
and digital signing.

Data Protection Manager (DPM) supports the following types of certificates
for media encryption:

· Self-signed certificates

· Imported certificates from certification authorities

In addition DPM supports backup and recovery of certificates.

Self-Signed Certificates
Self-signed certificates are not signed by a certificate authority. These
certificates ensure that encrypted Web connections are in place; however,
they do not guarantee the identity of the organization that generated the
certificate. Self-signed certificates are useful if the ability to encrypt
data is more important than the ability to identify the issuing
organization.

Imported Certificates
Certification authority (CA) certificates are certificates that are issued
by a CA to itself or to a second CA for the purpose of creating a defined
relationship between the two CAs.

A certificate that is issued by a CA to itself is referred to as a trusted
root certificate, because it is intended to establish a point of ultimate
trust for a CA hierarchy.

After the trusted root has been established, it can be used to authorize
subordinate CAs to issue certificates on its behalf.

Although the relationship between CAs is most commonly hierarchical, CA
certificates can also be used to establish trust relationships between CAs
in two different public key infrastructure (PKI) hierarchies.

In all of these cases, the CA certificate is critical to defining the
certificate path and usage restrictions for all end entity certificates
issued for use in the PKI.

How to Create Self-Signed Certificates for Successful Encryptions [v2]
Introduction
DPM supports two types of certificates to successfully encrypt data at a
protection group level: self-signed certificates and certificates imported
from a certificate authority (CA). You can create a self-signed certificate
using makecert.exe.

Important You should use a certificate store to securely store your
certificates. The .snk files used by this tool store private keys in an
unprotected manner. When you create or import a .snk file, you should be
careful to secure it during use and remove it when you are done.

SSL server certificates for Internet Information Services (IIS) are stored
in the "Personal" ("My") certificate store of the "computer account"
("localMachine"). The "Certificates" snap-in of the Microsoft Management
Console (mmc.exe) must be used to manage these certificates. The certificate
management window (accessible from "Internet Properties" / "Content" /
"Certificates" or from "Control Panel" / "Users and Passwords" / "Advanced"
/ "Certificates") cannot be used.

Procedures


To create a self-signed certificate

· See Internet Information Services (IIS) Server Certificate
Installation Instructions (http://go.microsoft.com/fwlink/?LinkID=92669).


How to Install and Remove Certificates from a Certificate Authority [v2]
Introduction
DPM supports two types of certificates to successfully encrypt data at a
protection group level: self-signed certificates and certificates imported
from a certificate authority (CA). Click the link in the following procedure
to get information about how to install and remove trusted certificates.

Note SSL server certificates for Internet Information Services (IIS) are
stored in the "Personal" ("My") certificate store of the "computer account"
("localMachine"). The "Certificates" snap-in of the Microsoft Management
Console (mmc.exe) must be used to manage these certificates. The certificate
management window (accessible from "Internet Properties" / "Content" /
"Certificates" or from "Control Panel" / "Users and Passwords" / "Advanced"
/ "Certificates") cannot be used.

Procedures


To install and remove trusted certificates

· See "Installing and Removing Trusted Certificates" in
Chapter 6. Digital Certificates
(http://go.microsoft.com/fwlink/?LinkId=92560).


How to Import Certificates into DPMBackupStore [v2]
Introduction
Before you can use encryption in DPM, you need to do the following:

· Import certificates from a CA or create a self-signed certificate

· Manage your account in Microsoft Management Console (MMC)

· Import certificates into DPMBackupStore

When you import a certificate, you copy the certificate from a file that
uses a standard certificate storage format to a certificate store for your
user account or your computer account.

The following procedures describe how to manage your account in MMC and
import certificates into the DPM certificate store, DPMBackupStore.

Procedures


To manage your account in MMC

· See Manage Certificates for Your User Account
(http://go.microsoft.com/fwlink/?LinkId=92788).


To import certificates into DPMBackupStore

1. In MMC, open the Certificates snap-in.

2. In the console tree, click DPMBackupStore.

3. On the Action menu, point to All Tasks, and then click Import
to start the Certificate Import Wizard.

4. Click Next.

5. Type the name of the file that contains the certificate to be
imported, or click Browse and navigate to the file.

Certificates can be stored in several different file formats. The most
secure format is Public-Key Cryptography Standard (PKCS) #12, an encryption
format that requires a password to encrypt the private key. For optimum
security, send certificates using this format.

If the certificate file is in a format other than PKCS #12, skip to
step 8.

If the certificate file is in the PKCS #12 format, do the following:

a. In the Password box, type the password used to encrypt the private
key. You must have access to the password that was originally used to secure
the file.

b. (Optional) If you want to be able to use strong private key
protection, select the Enable strong private key protection check box, if
available.

c. (Optional) If you want to back up or transport your keys at a
later time, select the Mark key as exportable check box.

6. Click Next.

7. In the Certificate Store dialog box, select Place all
certificates in the following store, click Browse, and select
DPMBackupStore.

8. Click Next, and then click Finish.

Note The file from which you import certificates remains intact
after you have imported the certificates. You can use Windows Explorer to
delete the file if it is no longer needed.


To import self-signed certificates into DPMBackupStore Using
Makecert.exe

· Type the following command

Makecert.exe -r -n "CN=MyCertificate" -ss DPMBackupStore -sr
localmachine -sky exchange -sp "Microsoft RSA Schannel Cryptographic
Provider" -sy 12 -e <expiry date in mm/dd/yyformat>


How to Encrypt Data in a Protection Group[v2]
Introduction
One of the benefits of storing backups on tape is portability. However, if
the tapes get in the wrong hands, data security could be compromised. DPM
supports encrypting data on tape for long-term protection. The following
procedure shows you how to encrypt data that will be backed up on tape.

Procedures


To encrypt data in a protection group

9. In DPM Administrator Console, click Protection on the
navigation bar.

10. On the Actions menu, click Create protection group. This launches
the Create New Protection Group Wizard.

11. Select the members of the protection group by selecting the check
boxes in the Available members pane, and then click Next.

12. Select short-term objectives for the protection group, and click
Next.

13. Select long-term protection for the protection group, and click
Next.

14. On the Specify Tape and Library Details page, specify details
about the tape and library that you would like to use for backup.

15. In the Tape options for long-term protection pane, click Encrypt
data.

Note A valid encryption certificate must be available on the DPM
server to support this long-term protection option.

16. Click Next.

17. Specify advanced options for the protection group, and click
Next.

18. On the Summary page, click Create Group.

Note If you want to encrypt[deb1] data in a protection group that
has already been created, in DPM Administrator Console, on the navigation
bar, click Protection. Select a protection group. Then, on the Actions menu,
click Modify protection group. Follow the Modify Protection Group Wizard,
and on the Specify Tape and Library Details page, click Encrypt data.


Thanks,

Harsh [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Harsh Mittal

unread,
Jul 18, 2007, 10:24:48 AM7/18/07
to
Let me make it a bit simpler

Data Protection Manager (DPM) supports the following types of certificates
for media encryption:

Self signed and Certificates issued by CA

- Self-signed certificates- You can create a self-signed certificate
using makecert.exe.(ships with Visual Studio 2005)
e.g. Makecert.exe -r -n "CN=MyCertificate" -ss DPMBackupStore -sr

localmachine -sky exchange -sp "Microsoft RSA Schannel Cryptographic
Provider" -sy 12 -e <expiry date in mm/dd/yyformat>


Now you are ready to encrypt tapes, In Data protection Wizard, select
encrypt checkbox, wow!! you have encrypted tapes :), DPM utilizes AES-256bit
encryption to make tape backups secure.


If you want to use CA cert, instead of using makecert do the following-

- Imported certificates from certification authorities
This can be done by using Certifacte management MMC.

To import certificates into DPMBackupStore
1. In MMC, open the Certificates snap-in.
2. In the console tree, click DPMBackupStore.
3. On the Action menu, point to All Tasks, and then click
Import to start the Certificate Import Wizard.
4. Click Next.
5. Type the name of the file that contains the certificate
to be imported, or click Browse and navigate to the file.

6. Click Next, and then click Finish.


Stay secure! And let us know how it works.


Thanks,
Harsh [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

"Harsh Mittal" <hmi...@microsoft.com> wrote in message
news:%23$0r56HyH...@TK2MSFTNGP05.phx.gbl...

J&J

unread,
Jul 2, 2010, 3:43:33 AM7/2/10
to
I'm very curious to know if dpm has an option to encrypt a file server into a disk to disk scenario !

Thx a lot,
J&J

Harsh Mittal wrote:

Let me make it a bit simplerData Protection Manager (DPM) supports the
18-Jul-07

Previous Posts In This Thread:

On Tuesday, July 17, 2007 10:28 AM
Harsh Mittal wrote:

How to do tape encryption using DPM


What Are Certificates? [v2]
Introduction
Digital certificates are electronic credentials that are used to certify the
online identities of individuals, computers, and other entities on a
network. Digital certificates function similarly to identification cards
such as passports and drivers' licenses. They are issued by certification
authorities (CAs) that must validate the identity of the certificate holder,
both before the certificate is issued and when the certificate is used.
Common uses include business scenarios requiring authentication, encryption,
and digital signing.

Data Protection Manager (DPM) supports the following types of certificates
for media encryption:

? Self-signed certificates

? Imported certificates from certification authorities

Procedures

? See Internet Information Services (IIS) Server Certificate
Installation Instructions (http://go.microsoft.com/fwlink/?LinkID=92669).


How to Install and Remove Certificates from a Certificate Authority [v2]
Introduction
DPM supports two types of certificates to successfully encrypt data at a
protection group level: self-signed certificates and certificates imported
from a certificate authority (CA). Click the link in the following procedure
to get information about how to install and remove trusted certificates.

Note SSL server certificates for Internet Information Services (IIS) are
stored in the "Personal" ("My") certificate store of the "computer account"
("localMachine"). The "Certificates" snap-in of the Microsoft Management
Console (mmc.exe) must be used to manage these certificates. The certificate
management window (accessible from "Internet Properties" / "Content" /
"Certificates" or from "Control Panel" / "Users and Passwords" / "Advanced"
/ "Certificates") cannot be used.

Procedures


To install and remove trusted certificates

? See "Installing and Removing Trusted Certificates" in

Chapter 6. Digital Certificates
(http://go.microsoft.com/fwlink/?LinkId=92560).


How to Import Certificates into DPMBackupStore [v2]
Introduction
Before you can use encryption in DPM, you need to do the following:

? Import certificates from a CA or create a self-signed certificate

? Manage your account in Microsoft Management Console (MMC)

? Import certificates into DPMBackupStore

When you import a certificate, you copy the certificate from a file that
uses a standard certificate storage format to a certificate store for your
user account or your computer account.

The following procedures describe how to manage your account in MMC and
import certificates into the DPM certificate store, DPMBackupStore.

Procedures


To manage your account in MMC

? See Manage Certificates for Your User Account
(http://go.microsoft.com/fwlink/?LinkId=92788).

4. Click Next.

6. Click Next.

? Type the following command

Procedures

16. Click Next.


Thanks,

On Wednesday, July 18, 2007 10:24 AM
Harsh Mittal wrote:

Let me make it a bit simplerData Protection Manager (DPM) supports the


Submitted via EggHeadCafe - Software Developer Portal of Choice
MongoDb: Install as Service and use .NET Drivers
http://www.eggheadcafe.com/tutorials/aspnet/51d3ae19-d6f9-4807-ac0a-0baab2964b03/mongodb-install-as-service-and-use-net-drivers.aspx

0 new messages