bpinst      -CRYPT      [-client_libraries       directory]       [-crypt_option
              option][-crypt_strength strength] [-passphrase_prompt |-passphrase_stdin]
              [-verbose] [ [-policy_encrypt 0 |  1]  -policy_names]  name1  [name2  ...

       Note:     You  must  have  NetBackup Encryption, a separately priced product, in
                 order to use this command.


       The bpinst command, used with the -CRYPT option,  installs  and  configures  the
       NetBackup  Encryption  product on NetBackup clients that can support encryption.
       On UNIX the command is located in the /usr/openv/netbackup/bin directory. .

              NOTE: If you are using bpinst -CRYPT to configure encryption  on  clients
              that  were not previously configured for encryption, ensure that you push
              the encryption libraries to the clients first with one bpinst command and
              then configure the encryption pass phrase with a separate bpinst command.
              For example:

                    bpinst -CRYPT -client_libraries /usr/openv/lib/client clientname1

                    bpinst -CRYPT -passphrase_prompt clientname1

              If you try to specify both the -client_libraries  and  -passphrase_prompt
              arguments  on  the  same  command line, the pass phrase configuration can
              fail because the encryption  libraries  are  not  yet  available  on  the

       Before  using  this  command,  install  the encryption software on the server as
       explained in the NetBackup Encryption System Administrator's Guide.  Then,  exe-
       cute  bpinst  -CRYPT  on  the  master  server to install and configure NetBackup
       Encryption on the clients. A single execution copies the required files  to  the
       selected  clients and also makes the necessary configuration changes on both the
       clients and the master server.

       Note:     Ensure that the  DISALLOW_SERVER_FILE_WRITES  NetBackup  configuration
                 option  is  not  set  on the client. If this option is set, the server
                 cannot install and configure the software on the client.

       In the following example, bpinst  -CRYPT  installs  and  configures  40-bit  DES
       encryption  software  on  all the UNIX clients in the policy named policy40 (the
       command is all on one line).

       bpinst  -CRYPT  -client_libraries  /usr/openv/lib/client  -crypt_option  allowed
       -crypt_strength des_40 -policy_encrypt 1

       bpinst -CRYPT -passphrase_prompt -policy_names policy40

       The  above  command  uses  the  -policy_encrypt  option  to  set  the Encryption
       attribute for the policy. You can also use the NetBackup  administrator  utility
                 bpinst command to install or configure encryption. The order is impor-
                 tant and do not omit this option.

       -client_libraries directory
                 Installs  the  encryption  libraries on NetBackup clients. This option
                 points to the directory on the master server that contains the  client
                 encryption libraries:

                 On a UNIX server, the library directory is:


                 (by default, install_path is /usr/openv)

                 On a Windows server, the library directory must be:


       -crypt_option option
                 Configures  the  CRYPT_OPTION  configuration  entry  on  the NetBackup
                 clients. If you do not specify -crypt_option, the client allows either
                 encrypted or unencrypted backups (see ALLOWED below).

                 The possible values for option are:

                 DENIED | denied | -1

                 Specifies  that  the  client does not permit encrypted backups. If the
                 server requests an encrypted backup, it is considered an  error.  This
                 option  is  the  default for a client that has not been configured for

                 ALLOWED | allowed | 0

                 Specifies that the client allows either encrypted or unencrypted back-
                 ups. This is the default.

                 REQUIRED |required | 1

                 Specifies  that  the  client requires encrypted backups. If the server
                 requests an unencrypted backup, it is considered an error.

       -crypt_strength strength
                 Configures the CRYPT_STRENGTH configuration  entry  on  the  NetBackup
                 clients. If you do not specify this option, the CRYPT_STRENGTH config-
                 uration entries on the clients remain unchanged.

                 The possible values for strength are:

                 DES_40 | des_40 | 40

                 Specifies 40-bit DES encryption. This  is  the  default  value  for  a

                 The -passphrase_prompt option prompts you to enter a pass phrase.  The
                 actual pass phrase is hidden while you type.

                 The  -passphrase_stdin  option  reads the pass phrase through standard
                 input. You must enter the pass  phrase  twice.  This  option  is  less
                 secure  than  the -passphrase_prompt option because the pass phrase is
                 not hidden. However, it may be more convenient if you are using bpinst
                 -CRYPT in a shell script.

                 NetBackup uses the pass phrase for all the clients that you specify on
                 the bpinst -CRYPT command. If you want separate pass phrases for  each
                 client, enter a separate bpinst -CRYPT command for each client.

                 When  you  specify a pass phrase, bpinst -CRYPT creates or updates the
                 key files on the clients. Encryption  keys  generated  from  the  pass
                 phrase  are  used  for  subsequent  backups.  Old  encryption keys are
                 retained in the key file in order to allow restores of previous  back-

                 If   you   do   not   specify   either   the   -passphrase_prompt   or
                 -passphrase_stdin  option,  the  key  files  on  the  clients   remain

       -verbose  Prints  the  current  encryption configuration of each client and what
                 gets installed and reconfigured on each client.

       -policy_encrypt 0 | 1
                 Sets the Encryption policy attribute for the NetBackup  policies.  You
                 can  include  -policy_encrypt  only with the -policy_names option. The
                 possible values are:

                 0 clears the Encryption attribute (or leaves it clear) so  the  server
                 does  not  request  encryption for clients in this policy. This is the
                 default for policies that are not configured for encryption.

                 1 sets the Encryption attribute so the server requests encryption  for
                 clients in this policy.

                 If  you  do not specify this option, the Encryption attributes for the
                 policies remain unchanged.

                 Specifies that the names you specify with the names  option  are  Net-
                 Backup policy names.

                 If  you  include  the -policy_names option, bpinst -CRYPT installs and
                 configures all the clients in each policy specified.

                 If you omit the -policy_names option, the names are assumed to be Net-
                 Backup client names.

              should not be exportable through NFS.

             The key file must be the same on all nodes in a cluster.

             If you are running NetBackup in a clustered environment, pushing software
              to the client is only allowed from the active node.

             If you are pushing the encryption software to clients located in a  clus-
              ter, specify the hostnames of the individual nodes (not virtual names) in
              the list of clients.

             It is very important to remember pass phrases.  In  a  disaster  recovery
              situation,  you  may  have  to  recreate  a key file on a client by using
              bpinst -CRYPT. For example, suppose a NetBackup  client  named  orca  has
              been performing encrypted backups and an accident occurs that causes orca
              to lose its files. In this case you must reinstall and configure  encryp-
              tion on the client in order to restore your backups.

              The  following  is  the  basic procedure for disaster recovery when using
              encryption (see  the  NetBackup  Troubleshooting  Guide  for  details  on
              restoring  the  operating  system  and NetBackup). This example assumes a
              NetBackup client named orca.

       1.     Reinstall the OS on orca.

       2.     Reinstall and configure the NetBackup client software on orca.

       3.     Reinstall and configure encryption on orca  by  executing  the  following
              command (one line):

              bpinst -CRYPT -client_libraries /usr/openv/lib/client -crypt_option allowed

       4.     Execute bpinst -CRYPT to create a pass phrase.

              bpinst -CRYPT -passphrase_prompt orca
              Enter new NetBackup pass phrase: *********************
              Re-enter new NetBackup pass phrase: *********************

              The pass phrase that you enter here is the first one used on orca.

       5.     Execute bpinst -CRYPT for each subsequent pass phrase used on orca:

              # bpinst -CRYPT -passphrase_prompt orca
              Enter new NetBackup pass phrase: *********************
              Re-enter new NetBackup pass phrase: *********************

       6.     Restore the backed up files to orca.


       Example 1

       You  must install the encryption libraries on the NetBackup master server before

       Example 3

       The following command (all on one line)  specifies  that  the  NetBackup  client
       named strong must use 56-bit DES encryption:

              bpinst -CRYPT -crypt_option required -crypt_strength des_56 strong

       Example 4

       The  following  command  displays a verbose listing of the configuration for the
       client named strong:

              bpinst -CRYPT -verbose strong
              BPCD protocol version 4.5.0 on client strong
              40-bit library version is on client strong
              56-bit library version is on client strong
              BPCD platform is sgi5 for client strong
              Current configuration entries are:
              CRYPT_KEYFILE = /usr/openv/netbackup/keyfile
              CRYPT_LIBPATH = /usr/openv/lib
              CRYPT_OPTION = required
              CRYPT_STRENGTH = des-56
              No update of NetBackup configuration required for client strong
              No update of NetBackup pass phrase required for client strong



             UNIX server command


             UNIX server directory with client libraries


             UNIX client encryption libraries


             UNIX client encryption key file


             UNIX client encryption key file utility



              Copyright 2002-2003 VERITAS Software Corporation. All rights reserved.