SYNOPSIS

       /usr/openv/netbackup/bin/bpinst -ENCRYPTION [-force_install]  [-verbose]  [-pol-
              icy_names] name1 [name2 ... nameN]

       /usr/openv/netbackup/bin/bpinst -LEGACY_CRYPT [-update_libraries] [-crypt_option
              option][-crypt_strength strength] [-passphrase_prompt |-passphrase_stdin]
              [-verbose]  [  [-policy_encrypt  0  |  1] -policy_names] name1 [name2 ...
              nameN]

       Note:     You must have NetBackup Encryption, a separately  priced  product,  in
                 order to use this command.


DESCRIPTION

       NetBackup  Encryption  provides  file-level  encryption of backups and archives.
       There are two versions:

             -ENCRYPTION is the Standard Encryption method (recommended)

              Provides the ability to encrypt data using  128-bit  or  256-bit  OpenSSL
              ciphers.

             -LEGACY_CRYPT is the Legacy Encryption method

              Provides  the user with the encryption strength choices previously avail-
              able (40-bit DES and 56-bit DES).

       The bpinst command, used with  the  -LEGACY_CRYPT  or  the  -ENCRYPTION  option,
       installs  and  configures  the NetBackup Encryption product on NetBackup clients
       that can support encryption.

       Before using this command, install the encryption  software  on  the  server  as
       explained  in  the NetBackup Encryption System Administrator's Guide. Then, exe-
       cute bpinst -LEGACY_CRYPT or -ENCRYPTION on the master  server  to  install  and
       configure  NetBackup  Encryption  on  the clients. A single execution copies the
       required files to the selected clients and also makes the  necessary  configura-
       tion changes on both the clients and the master server.

              NOTE:  If  you  are using bpinst -LEGACY_CRYPT to configure encryption on
              clients that were not previously configured for encryption,  ensure  that
              you  push  the  encryption libraries to the clients first with one bpinst
              command and then configure the encryption pass  phrase  with  a  separate
              bpinst command. For example:

                    bpinst -LEGACY_CRYPT -update_libraries

                    bpinst -LEGACY_CRYPT -passphrase_prompt clientname1

              If  you  try to specify both the -update_libraries and -passphrase_prompt
              arguments on the same command line, the  pass  phrase  configuration  can
              fail  because  the  encryption  libraries  are  not  yet available on the
              client.

       the NetBackup System Administrator's Guide.


OPTIONS

       The following options apply to the -ENCRYPTION command.

       -ENCRYPTION
                 Required if using 128- or 256-bit OpenSSL ciphers. This option must be
                 the first option specified to use the bpinst  command  to  install  or
                 configure  Cipher-based  encryption. The order is important and do not
                 omit this option.

       -force_install
                 Installs the client files on the client machine without  checking  the
                 version of any existing files on the the client machine.

       -policy_names
                 Specifies  that  the  names you specify with the names option are Net-
                 Backup policy names.  If you include the -policy_names option,  bpinst
                 -LEGACY_CRYPT  or  -ENCRYPTION installs and configures all the clients
                 in each policy specified.  If you omit the -policy_names  option,  the
                 names are assumed to be NetBackup client names.

       name1 [ name2 ... nameN ]
                 One or more NetBackup client or policy names, depending on whether you
                 have included the -policy_names option. If you omit the  -policy_names
                 option, the names are assumed to be NetBackup client names.

       -verbose  Prints  the  current  encryption configuration of each client and what
                 gets installed and reconfigured on each client.

       The following options apply to the -LEGACY_CRYPT command.

       -LEGACY_CRYPT
                 Required if using 40- or 56-bit DES encryption.  This option  must  be
                 the  first  option  specified  to use the bpinst command to install or
                 configure DES encryption. The order is important and do not omit  this
                 option.

       -update_libraries

                 Installs  the  encryption  libraries on NetBackup clients. This option
                 applies to the -LEGACY_CRYPT option only.

       -crypt_option option
                 Configures the  CRYPT_OPTION  configuration  entry  on  the  NetBackup
                 clients. If you do not specify -crypt_option, the client allows either
                 encrypted or unencrypted backups (see ALLOWED below).

                 The possible values for option are:

                 DENIED | denied | -1


       -crypt_strength strength
                 Configures  the  CRYPT_STRENGTH  configuration  entry on the NetBackup
                 clients. If you do not specify this option, the CRYPT_STRENGTH config-
                 uration entries on the clients remain unchanged.

                 The possible values for strength are:

                 DES_40 | des_40 | 40

                 Specifies  40-bit  DES  encryption.  This  is  the default value for a
                 client that has not been configured for encryption.

                 DES_56 | des_56 | 56

                 Specifies 56-bit DES encryption.

       -passphrase_prompt | -passphrase_stdin

       CAUTION:  Do not forget the pass phrase. If the key file is damaged or lost, you
                 may  need the pass phrase in order to regenerate the key file. Without
                 the proper key file, you cannot restore encrypted backups.   NetBackup
                 uses a pass phrase to create data that it places in a key file on each
                 client. NetBackup then uses the data in the key  file  to  create  the
                 encryption keys required to encrypt and decrypt the backup data.  This
                 option applies to the -LEGACY_CRYPT option only.

                 The -passphrase_prompt option prompts you to enter a pass phrase.  The
                 actual  pass  phrase  is hidden while you type.  The -passphrase_stdin
                 option reads the pass phrase through standard input.  You  must  enter
                 the   pass   phrase  twice.  This  option  is  less  secure  than  the
                 -passphrase_prompt option because the pass phrase is not hidden.  How-
                 ever,  it may be more convenient if you are using bpinst -LEGACY_CRYPT
                 in a shell script.  NetBackup uses the pass phrase for all the clients
                 that you specify on the bpinst -LEGACY_CRYPT command. If you want sep-
                 arate  pass  phrases  for  each  client,  enter  a   separate   bpinst
                 -LEGACY_CRYPT command for each client.

                 When  you  specify  a  pass  phrase,  bpinst  -LEGACY_CRYPT creates or
                 updates the key files on the clients. Encryption keys  generated  from
                 the  pass  phrase are used for subsequent backups. Old encryption keys
                 are retained in the key file in order to allow  restores  of  previous
                 backups.

                 If   you   do   not   specify   either   the   -passphrase_prompt   or
                 -passphrase_stdin  option,  the  key  files  on  the  clients   remain
                 unchanged.

       -verbose  Prints  the  current  encryption configuration of each client and what
                 gets installed and reconfigured on each client.

       -policy_encrypt 0 | 1
       -policy_names
                 Specifies that the names you specify with the names  option  are  Net-
                 Backup  policy names.  If you include the -policy_names option, bpinst
                 -LEGACY_CRYPT or -ENCRYPTION installs and configures all  the  clients
                 in  each  policy specified.  If you omit the -policy_names option, the
                 names are assumed to be NetBackup client names.

       name1 [ name2 ... nameN ]
                 One or more NetBackup client or policy names, depending on whether you
                 have  included the -policy_names option. If you omit the -policy_names
                 option, the names are assumed to be NetBackup client names.


NOTES

       The  following  list  of  notes  applies  to  both  the  -ENCRYPTION   and   the
       -LEGACY_CRYPT  option.  For  additional  information about NetBackup encryption,
       refer to the NetBackup Encryption System Administrator's Guide.

             If you are running NetBackup in a clustered environment, pushing software
              to the client is only allowed from the active node.

             If  you are pushing the encryption software to clients located in a clus-
              ter, specify the hostnames of the individual nodes (not virtual names) in
              the list of clients.

             In  a  clustered  environment,  after you have successfully installed the
              add-on, unfreeze the node.

             When you finish restoring encrypted files from a client, rename or delete
              the  key file created, and move or rename your own key file to its origi-
              nal location or name. If you do not re-establish your  key  file  to  its
              original location/name, you may not be able to restore your own encrypted
              backups.

             Existing 40- or 56-bit encryption license keys are valid for upgrades.

       The following list of notes applies to the -LEGACY_CRYPT option only.

             The pass phrase that bpinst -LEGACY_CRYPT sends over  the  network  to  a
              client is encrypted by a privately defined NetBackup 40-bit DES key.

             The  key  file  on  each  NetBackup  client is encrypted with a privately
              defined NetBackup DES key. The key can be 40 bit or 56 bit, depending  on
              how  the  client  is  configured.  Restrict access to the key file to the
              administrator of the client machine. On a UNIX client, the owner  of  the
              key  file  should  be  root and the mode bits should be 600. The key file
              should not be exportable through NFS.

             The key file must be the same on all nodes in a cluster.

             It is important to remember pass phrases. In a disaster  recovery  situa-
              tion,  you  may  have  to recreate a key file on a client by using bpinst
              -LEGACY_CRYPT. For example, suppose a NetBackup  client  named  orca  has
              command (one line):

              bpinst -LEGACY_CRYPT -update_libraries -crypt_option allowed

       4.     Execute bpinst -LEGACY_CRYPT to create a pass phrase.

              bpinst -LEGACY_CRYPT -passphrase_prompt orca
              Enter new NetBackup pass phrase: *********************
              Re-enter new NetBackup pass phrase: *********************

              The pass phrase that you enter here is the first one used on orca.

       5.     Execute  bpinst  -LEGACY_CRYPT  for  each  subsequent pass phrase used on
              orca:

              # bpinst -LEGACY_CRYPT -passphrase_prompt orca
              Enter new NetBackup pass phrase: *********************
              Re-enter new NetBackup pass phrase: *********************

       6.     Restore the backed up files to orca.


EXAMPLES

       Example 1

       The following command copies encryption software from a master  server  to  Net-
       Backup clients.

       From a Master Server

       Assume  that you want to install the encryption software on client1 and client2.
       You would enter a command like this (all on one line):

              bpinst -ENCRYPTION client1 client2

       Assume that you want to install the encryption software on all  clients  in  the
       NetBackup policies policy1 and policy2. You would enter a command like this (all
       on one line):

              bpinst -ENCRYPTION -policy_names policy1 policy2

       Example 2

       The following command installs the libraries on a NetBackup  client  named  mars
       (one line):

              bpinst -LEGACY_CRYPT -update_libraries  mars

       Example 3

       The  following  command  (all  on  one  line) installs and configures 40-bit DES
       encryption on UNIX clients in a policy named policy40:


              bpinst -LEGACY_CRYPT -crypt_option required -crypt_strength des_56 strong

       Example 5

       The  following  command  displays a verbose listing of the configuration for the
       client named strong:

              bpinst -LEGACY_CRYPT -verbose strong
              BPCD protocol version 4.5.0 on client strong
              40-bit library version is 3.1.0.40 on client strong
              56-bit library version is 3.1.0.56 on client strong
              BPCD platform is sgi5 for client strong
              Current configuration entries are:
              CRYPT_KEYFILE = /usr/openv/netbackup/keyfile
              CRYPT_LIBPATH = /usr/openv/lib
              CRYPT_OPTION = required
              CRYPT_STRENGTH = des-56
              No update of NetBackup configuration required for client strong
              No update of NetBackup pass phrase required for client strong


FILES

       UNIX:

             UNIX server command

              /usr/openv/netbackup/bin/bpinst

             UNIX server directory with encryption software

              /usr/openv/netbackup/crypt

             UNIX client encryption libraries for 40- and 56-bit DES

              /usr/openv/lib/libvdes*.*

             UNIX client encryption key file for 40- and 56-bit DES

              /usr/openv/netbackup/keyfile

             UNIX client encryption key file utility for 40- and 56-bit DES

              /usr/openv/netbackup/bin/bpkeyfile

             UNIX client encryption key file utility  for  128-  and  256-bit  OpenSSL
              cipher

              /usr/openv/netbackup/bin/bpkeyutil
              /usr/openv/share/ciphers.txt<br>/usr/openv/share/version_crypt


COPYRIGHT

              Copyright (c) 2002-2005 VERITAS Software Corporation. All rights reserved.