Upload
hoangquynh
View
233
Download
6
Embed Size (px)
Citation preview
May 2006
PGP ® Configuration Guide
PGP ® Command Line for Windows 9.0.X
CA BrightStor ARCserve Backup ® for Windows 11.5 EMC 2 Legato NetWorker ® for Windows 7.3 Symantec Backup Exec ® for Windows 10d
Version 1.2
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
1
Table of Contents INTRODUCTION .........................................................................................................................................2 BACKUP STRATEGY ................................................................................................................................3 ASSUMPTIONS ..........................................................................................................................................4 REQUIREMENTS........................................................................................................................................4 SPACE REQUIREMENTS..........................................................................................................................5 PGP COMMAND LINE SETUP..................................................................................................................6
INSTALLATION ...........................................................................................................................................6 LICENSING .................................................................................................................................................6 GENERATE AKEY PAIR .............................................................................................................................7 KEY MANAGEMENT ...................................................................................................................................7 BACKUP CAVEATS ....................................................................................................................................8
COMMAND FILES ......................................................................................................................................8 ENCRYPTIONSCRIPT (PREBACKUP.CMD) .................................................................................................9 POST ENCRYPTIONCLEANUPSCRIPT (POSTBACKUP.CMD) ...................................................................10 DECRYPTION SCRIPT (POSTRESTORE.CMD) ...........................................................................................11 RESTORE CONSIDERATIONS....................................................................................................................12 PASSPHRASE PROTECTION .....................................................................................................................12 ADVANCED FEATURES ............................................................................................................................12
APPLICATIONSPECIFIC INSTRUCTIONS ..........................................................................................13 COMPUTER ASSOCIATES (CA) BRIGHTSTOR ARCSERVE............................................................13
BACKUP &ENCRYPT ...............................................................................................................................13 Select Source....................................................................................................................................13 Pre/Post Options...............................................................................................................................14 Filter...................................................................................................................................................16 Choose a Destination .......................................................................................................................16 Run the Job.......................................................................................................................................16
RESTORE & DECRYPT .............................................................................................................................17 Choose the Source...........................................................................................................................17 Pre/Post Options...............................................................................................................................18 Run the Job.......................................................................................................................................18
EMC 2 LEGATO NETWORKER................................................................................................................19 CREATING A CUSTOMIZEDBACKUPPROGRAM .......................................................................................19 MODIFYING YOUR DEFAULT.RES FILE......................................................................................................20 EXECUTING YOUR BACKUP IN EMC LEGATONETWORKER CLIENT ........................................................20 TROUBLESHOOTING THE ENCRYPTION OF YOUR DATA ...........................................................................20 RESTORING YOUR ENCRYPTEDDATA ANDDECRYPTING YOUR DATA FILES...........................................20
SYMANTEC BACKUP EXEC FOR WINDOWS 10D .............................................................................21 BACKUP JOB...........................................................................................................................................21 OPTIONS..................................................................................................................................................21 RESTORE JOB .........................................................................................................................................22
PGP COMMAND LINE TROUBLESHOOTING......................................................................................23 ANTIVIRUS SOFTWARE ............................................................................................................................23 ISOLATION ...............................................................................................................................................23 ERROR CODE 1001:COULD NOT OPEN KEYRINGS, FILE NOT FOUND ........................................................23 ERROR CODE 3083:COULD NOT CREATE OUTPUT FILE............................................................................23 ERROR CODE 2713:NO LICENSE HAS BEEN ENTERED .............................................................................24
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
2
Introduction PGP Command Line augments existing batch processes and backup procedures with encryption, digital signing, file compression, and secure filewiping capabilities. Using PGP Command Line, an organization can integrate information security into existing automation scripts and backup systems to ensure confidential information is protected by strong security. Surprisingly, many enterpriseclass backup applications do not offer the option to encrypt data. As of April 2006, some offer Data Encryption Standard (DES) encryption, which was first cracked in 1997. In July 1998, crypto pioneer Whitfield Diffie presaged:
“People will continue using DES whatever its shortcomings, convincing themselves that it is adequate for their needs. And DES, with its glaring vulnerabilities, will go on pretending to protect information for decades to come.”
Using simple line command files, this guide provides a mechanism for integrating the robust encryption built into PGP Command Line with CA BrightStor ARCserve Backup, EMC Legato NetWorker, or Symantec Backup Exec. Although the guide provides specific directions for these three products, the general techniques included here can be applied to a variety of applications.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
3
Backup Strategy Figure 1 outlines the general steps taken to encrypt and decrypt files using PGP Command Line. PGP Command Line and the backup application are installed on the backup server. A set of files to be backed are first moved from the file server or user PCs to the backup server. The files will be encrypted by a Windows command file called by the backup application. External to the backup application, this command file will specify the files to be encrypted and the location of the PGP encrypted archive file. All these actions occur before any data is streamed to tape. The backup job will only refer to the newly created PGP encrypted archive. A postbackup job is run to delete certain files.
The restore job will first copy an encrypted archive from tape to disk, but will then specify a post restore call to PGP Command Line to decrypt the data and erase the encrypted archive on the disk.
Figure 1: Backup & Restore Process
Local Server Destination
Media
PGPCommand Line Backup and Restore
1
2
3
5
7
6
Backup . 1. Files in the selected directory are
encrypted into a single archive by PGP Command Line.
2. Encrypted archive file is stored on hard drive of local server.
3. Encrypted archive is written to destination media.
4. Encrypted archive is deleted on local server.
.
Restore
5. Encrypted archive file is restored from media.
6. PGP Command Line decrypts the archive file, restores the original files and directories to their original location. The encrypted archive is deleted.
7. Files are restored. The log file is left for user to confirm actions of PGP Command Line.
.
4
PGP Command Line
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
4
Assumptions • Users of this guide have installed and are familiar with the operation of their backup
software.
• Users are familiar with the concept and creation of command files. In earlier Windows versions, these were known as “batch files”.
• The files intended for encryption already reside on the server’s hard drive.
• Combining multiple files into a single encrypted archive is preferable to creating multiple encrypted files. However, either method is possible using PGP Command Line.
• PGP Command line will reside on the server used to perform backup operations.
• PGP Command Line can run on a variety of operating systems, but all solutions described in this guide are Windowsbased.
• PGP Command Line is capable of various strengths and types of encryption. This document assumes a 4096bit RSA key will be used.
Requirements This configuration requires the following minimum hardware and software:
• The server used for PGP Command Line must be running either:
o Windows 2000 SP4 (or higher)
o Windows XP SP1 (or higher)
o Windows Server 2003
• A text editing program such as Windows Notepad
• One copy of PGP Command Line 9.0.x
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
5
Space Requirements To understand how much free hard drive space is required, it is important to first understand the general tasks outlined by this guide. For this example, the original file was 1MB and the contents could only be slightly compressed:
Operation Files Total Space Used
Prepare to back up. Original file 1MB
Compresses the original file. This action creates a temporary file.
Original file + compressed file 2MB
Encrypt the compressed file. Original file + compressed file + encrypted archive
3MB
Delete the temporary compressed file. Original file + encrypted archive 2MB
Move the encrypted file to offline storage; delete encrypted archive.
Original file 1MB
Table 1: Space Requirements
In the worstcase scenario, consider a server with a single hard drive containing 100GB of files that were not very compressible. If you wanted to create a single encrypted archive containing all files, the hard drive would have to be 300GB or greater in size.
The most sensitive data is generally in documents, spreadsheets, and databases. This data is often compressible at rates up to 80%, placing the storage requirement closer to 2x instead of 3x.
If free storage space is an issue, there are a variety of ways to mitigate the storage requirements:
• If the backup media can be specified as a drive letter or directory, only the temporary space for the compressed files is required on the server.
• Compression can be disabled using the --compression flag. The temporary file will not be created.
• By default, an encryption request to PGP Command Line creates a file. To redirect the output stream to standard out, specify the output filename as a single hyphen: --output -
• PGP Command Line’s compression algorithm uses zip by default. Zip will deflate a wide variety of file types. The encrypted file will often be smaller than the original file.
• If you break the backup job into separate calls to PGP Command line, then only a fraction of the space is required.
• If you are backing up several servers, only the backup server with PGP Command Line requires extra space.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
6
PGP Command Line Setup Installation This example assumes that a user with administrative privileges will be installing PGP Command Line. PGP Command Line is distributed as a wizardbased installer. This file may be zipped. The installer will have a name such as PGPCommandLineXXX_Win32.msi, where XXX is the version number. Run this installer. If prompted, restart your machine. A restart is needed only if other PGP products are also installed on the same machine. The files used by this guide are stored in the locations shown in Table 2. :
File Type Location PGP Command Line License Data
C:\Documents and Settings\<user>\Application Data\PGP Corporation\PGP
PGP Command Line PGP.EXE
C:\Program Files\PGP Corporation\PGP Command Line\
Private & Public Keys
C:\Documents and Settings\<user>\My Documents\PGP\
Scripts defined in this guide
C:\PGP
Table 2: File locations
Licensing Make sure your computer is connected to the Internet. If the server does not have Internet connectivity or uses a proxy server to reach the Internet, read "Ch. 3: Licensing" in the PGP Command Line User’s Guide. Open the Windows command interpreter. Arguments are in bold, and userspecific portions are in italics. The license command must be entered on one line, but is shown on several lines to improve readability.
C:\Documents and Settings\Bob Admin>pgp --license-authorize --license-name "Bob Admin" --license-organization "Example Corporation" --license-number "AAAAA-BBBBB-#CCCC-#DDDD-#EEEE-FFF" --license-email "[email protected]"
You must use the specific credentials associated with your license. If you must reinstall PGP Command Line, the name and organization fields must match or the license will not reactivate. The “licenseemail” flag enables future license recovery.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
7
Generate a Key Pair PGP Command Line uses a public key for encryption and a private key for decryption. Before you can encrypt a file, you must have a public key. If you wish to import an existing key, review the PGP Command Line User’s Guide. In this example, a 4096bit RSA key is used, but not required. The strength of your key is also closely related to the quality and length of your passphrase. If your passphrase includes spaces, enclose it in quotation marks. Generate the key pair using the following command:
C:\Documents and Settings\Bob Admin>pgp --gen-key "Bob Admin <[email protected]>" --key-type rsa --encryption-bits 4096 --passphrase password --home-dir "C:\Documents and Settings\Bob Admin\Application Data\PGP Corporation\PGP"
Text similar to the following will appear if the previous command is processed correctly:
Windows User <[email protected]>:generate key Acquiring entropy from system state....done Generating key Windows User <[email protected]> progress.....******* ..........******* done 0xC073C9B0:generate key (0:key successfully generated) Acquiring entropy from system state....done Generating subkey progress..............................................******* .....................******* done
0xD15C66FF:generate key (0:subkey successfully generated)
Key Management Keep a copy of your public (pubring.pkr) and private (secring.skr) key in a separate location. Without the private key and the private key passphrase, the encrypted files cannot be decrypted. Keys may also be removed entirely from the server, placed on removable media such as a USB drive, and installed only when needed.
Control of encrypted data can be divided in many ways. One common technique is to “split” a key so that, for example, two out of five administrators are required to decrypt a file. Other control techniques are available. A chosen user’s key can also be designated as the “Additional Decryption Key” (ADK). This key may be added to every administrator’s key and permits the holder of the ADK to decrypt a file encrypted by an administrator. These techniques are described in detail in the PGP Command Line User’s Guide.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
8
Backup Caveats Currently, PGP Command line does not support wildcard UNCbased operations at the root level of a share. Assume that a share called \\big\users contains several user subdirectories. Although all files and directories under \\big\users\frank\*.* can be operated upon, specifying \\big\users\*.* will generate a PGP Command Line error. Until this issue is resolved, a new share should be created for the parent directory. If workaround$ points to the root of \\big, then \\big\workaround$\users\*.* can be specified as the target.
Command Files As expected, PGP Command Line can only be run from a command interpreter window or a .cmd “command file”. ARCserve, Backup Exec, and NetWorker all permit command files to be run in conjunction with the backup and restore process, to varying degrees. Three Windows command files with calls to PGP Command Line will be created to integrate with these applications, as shown in Table 3:
Command File Purpose prebackup.cmd Encrypt file(s). Create a single encrypted archive with a unique extension.
postbackup.cmd Delete encrypted archive and (optionally) delete log file.
postrestore.cmd Decrypts the restored file. After decryption, deletes the encrypted archive and deletes all temporary files used during decryption.
Table 3: Command Files
Because some backup software packages run under unique usernames, these scripts explicitly list the location of the PGP Command line license and keyring.
All command files are created in the C:\pgp directory to simplify the examples.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
9
Encryption Script (prebackup.cmd) In this example, all the files in “My Documents” are encrypted into a single uniquely named archive called “archive._pgp”. Note the underscore in the extension. The files are encrypted using Bob’s public key, so Bob is the recipient. Bob’s passphrase is not required to encrypt the file. Create a new notepad file with the following text and save it as prebackup.cmd. The command must be entered on a single line, not with the line breaks shown for readability in this example:
pgp --home-dir "C:\Documents and Settings\Bob Admin\Application Data\PGP
Corporation\PGP"
--encrypt "C:\Documents and Settings\Bob Admin\My Documents\*.*" --recipient Bob --output "C:\Documents and Settings\Bob Admin\My Documents\archive._pgp" --archive --status-file "c:\pgp\encrypt-log.txt" --overwrite remove --public-keyring c:\Documents and Settings\Bob Admin\My Documents\PGP\pubring.pkr
Flag Specifies homedir Optional. Specifies the path to the PGP Command Line license. Without this flag, backup
applications that run under a unique username will generate a “license not found” error. In the above example, PGP Command Line was licensed by Bob Admin.
encrypt The directory or file or UNC path (such as \\joe\data\file.txt) to be encrypted. In the above example, all files and directories in the "My Documents" folder are specified. If this flag is not used, PGP Command Line will assume the target files are in the current directory.
recipient Which public key should be used to encrypt? In this example, Bob’s key is used. PGP Command Line will look on the key ring and retrieve the key associated with this name. Only enough characters to uniquely identify the key are required.
output Optional. Used in conjunction with archive. Specifies the name of the output file and places it in the directory indicated by the specified path. In this example, a single output file is created for any number of input files and directories. This flag also permits unique filenames to be constructed. If this flag is not specified, the extension .pgp will be appended to the original filename(s).
archive Optional. Permits the aggregation of multiple files or an entire directory into a single encrypted archive. If not used, .pgp is appended to each filename.
statusfile Logs the results of the operation to a log file. This is a very important tool for troubleshooting. If the command completes correctly, it will return "0", and in the log file will include the text (0:output file archive._pgp).
overwrite remove
Optional. If the encrypted archive filename conflicts with an existing archive, overwrite the old file with the newly created archive.
public keyring
Optional. Specifies the location of the public keyring. Not specifying this location will cause encryption to fail if the backup application runs under a unique username.
Table 4: Encryption Arguments
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
10
Post Encryption Cleanup Script (postbackup.cmd) The prebackup.cmd file will create an encrypted archive file and a log file. The backup application now streams the encrypted archive file to tape. Both the archive and the log file can be deleted once the backup is complete. It may be preferable to retain the encryption log. Create a second command file called postbackup.cmd with two simple commands:
pgp –-wipe “C:\Documents and Settings\Bob Admin\My Documents\*._pgp"
pgp –-wipe “C:\pgp\encrypt-log.txt”
The encrypted archive name ends with “_pgp” because it is a unique extension. Assume that Alice had sent Bob an encrypted file called stuff.pgp. If Bob backed up all files from his “My Documents” folder, the deletion of all files with the “_pgp” extension ensures that Alice’s original file would not be deleted.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
11
Decryption Script (postrestore.cmd) For decryption, create a new command file called postrestore.cmd:
pgp --home-dir "C:\Documents and Settings\Bob Admin\Application Data\PGP Corporation\PGP" --decrypt "C:\Documents and Settings\Bob Admin\My Documents\*._pgp" --private-keyring "C:\Documents and Settings\Bob Admin\My Documents\PGP\secring.skr” --passphrase password --overwrite remove --archive --status-file "c:\pgp\pgplog.txt" --temp-cleanup remove --input-cleanup remove --output C:\Documents and Settings\Bob Admin\My Documents\”
Flag Specifies homedir Optional. The path to the PGP Command Line license. Without this flag, backup
applications that run under a unique username will generate a “license not found” error. In the above example, PGP Command Line was licensed by Bob Admin.
decrypt Specifies the files or directory of files to be decrypted.
private keyring
Optional. Specifies the path to the private keyring file. If not specified, the private key will not be found if the backup application runs under a unique username.
passphrase The private key passphrase you specified when the private key was created. See the next section for further information on password protection.
overwrite remove
Optional. If the decrypted filename conflicts with an existing name, overwrite the old file with the newly decrypted file.
archive Necessary to restore the files from an archive. PGP Command Line will create a decrypted ".tar" file if this flag is absent.
statusfile Optional. This flag logs the results of the operation to a log file. This is a very important tool for troubleshooting. If the command completes correctly, it will return "0", and in the log file will include the text (0:output file <filename>.txt).
temp cleanup remove
Optional. Removes temp files created in the decryption. Important when large amounts of data are involved.
input cleanup remove
Optional. Removes the encrypted file(s) when the decryption is complete.
output Optional. Determines where the decrypted files will be placed. In this example, the files are placed back into the “My Documents” directory. If not specified, the file will be placed into the same directory in which PGP Command Line happens to be executed.
Table 5: Decryption Arguments
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
12
Restore Considerations
• PGP Command Line does not restore the original read/write permissions associated with the file. After the files have been restored, verify that all files and folders have the correct Windows permissions and Access Control Lists (ACLs).
• PGP Desktop permits the extraction of specific files from the archive.
Passphrase Protection The postrestore.cmd file contains the passphrase associated with the private key that created the encrypted archive. This setup represents a security risk. Read permission to access the postrestore.cmd file should be tightly controlled so the file is not readable by other users. The script can be stored externally or associated with a specialpurpose user who only exists to run this script.
The PGP Command Line User’s Guide offers several novel techniques to manage passphrases. Using these techniques, the decryption script can be stored without the passphrase. Using --passphrase-cache (see page 44), the passphrase is entered by the administrator before the decryption script is run. Rather than decrypting a file to cache the passphrase, sign a randomly selected file using pgp –-sign <filename> –-passphrase-cache –-passphrase password
The passphrase can also be stored as an environment variable (see page 48) or using file descriptors (see page 41).
Advanced Features The PGP Command Line User’s Guide documents more than 200 flags. Some features may be interesting for backup administration:
• If files were copied to the backup server for the purpose of encryption and tape backup, it may be desirable to securely delete the unencrypted copies on the backup server using –-wipe <filename> This command overwrites the original file three times and ensures the file cannot be recovered. (See page 142 for details.)
• The encrypted file could be sent to another party. If the intended recipient does not have a key, you can create a SelfDecrypting Archive (SDA) file using --sda (See page 153 for details.)
• If the intended recipient has a key that resides on a known key server, you can retrieve it (see page 56) and import it to your keyring (see page 57).
• Many defaults can be changed by modifying PGPprefs.xml (see pages 43–47).
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
13
ApplicationSpecific Instructions The remaining chapters of this guide are dedicated to specific products. The final chapter is a troubleshooting guide. If your backup product is not covered by this guide, use the following CA ARCserve instructions as a guideline.
Computer Associates (CA) BrightStor ARCserve CA BrightStor ARCserve is an enterpriseclass backup server application. ARCserve can be run from the GUI or through the command line. In this document, it is run strictly from the GUI. It is assumed the user has installed the ARCserve software and completed the "My First Backup" tutorial. This section will cover backup and recovery incorporating the three scripts described earlier in this guide.
Backup & Encrypt
Select Source
To begin, go to the ARCserve home page (see Figure 2). In the navigation bar (the lefthand pane in the window), select "Quick Start", and then click on "Backup". The right window pane becomes the Backup browser. The bar above this image is the browser bar (see Figure 3 on page 14).
Figure 2: ARCserve Home Page
The source contains the directory/file(s) to be backed up. Click on the source tab in the Backup Browser and select your source from the tree (as shown in Figure 3 on page 14). In this case, the server with the backup files is under "Windows NT/2000/XP/2003". From here, the "My Documents" folder has been selected from the local server by clicking on the green box next to the labeled folder. The box becomes solid green when it and all subdirectories are selected.
The source should specify the folder that will contain the "archive._pgp" file. Once the filter is applied, only "*._pgp" files will be included in the backup job. Using this technique, several sets of archives with unique names, but all ending with “._pgp” can be backed up at the same time.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
14
Figure 3: ARCserve Backup Browser
Pre/Post Options
ARCserve permits commands to be run before and after a backup job. In this case, we will encrypt all the files in the "My Documents" directory using the script prebackup.cmd. This flag does not support commands with executables on remote systems. From the browser bar, click on "Options."
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
15
Figure 4: ARCserve Backup Options
In the Global Options window shown in Figure 4, select the "Pre/Post" tab. In the "Run Command Before Job" text box, enter the path to the command file to be executed before the backup job begins. Select the radio button "On Exit Code" and type a number "0" in the box next to it. This way, ARCserve Backup detects the successful exit code of the command file. Specify "Run Job Immediately" by placing a check in this radio button.
"Run Command After Job" is used to clean up after backup. In the "Run Command After Job" text box, enter the path to the file. It may be useful to check the radio button for "Do Not Run Command If Job Fails". Using this option, the encrypted file does not need to be recreated if a media failure causes the backup to fail.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
16
Filter
Next, select the "Filter" icon next to the "Options" icon in the browser bar. On the top of the "Filter" window, select "Include" and "File Pattern". In the last box, enter "*._pgp" and then press the "Add" button. Only files with the "._pgp" extension will be included in the backup.
Figure 5: ARCserve Backup Filter
Choose a Destination
Now, you only need to choose your destination and you are ready to backup using PGP Command Line encryption. Select the "Destination" tab located next to the “Source” tab in the ARCserve Backup Browser (see Figure 3 on page 14). From the group tree, select the group with the desired destination media.
Run the Job
Press "Start" in the browser bar to run the backup job (as shown in Figure 3). Prior to pressing “OK” in the “Submit Job” window (as shown in Figure 6), you can save the job to a script by pressing the “Save Job” button. This action will save the Destination, Source, and Options for this job in a script for later use; otherwise, this information is lost when the power cycles on the server.
Figure 6: ARCserve Backup Submit Job
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
17
Restore & Decrypt Restore and Decrypt is similar to Backup and Encrypt except in the following three ways:
1. No precommand, only a postcommand (postrestore) is needed.
2. No Filter is specified.
3. It is not necessary to choose a destination. The default destination is the original location of the file.
To begin, go to the ARCserve home page (as shown in Figure 2 on page 13). In the navigation bar (the lefthand pane in the window), select "Quick Start", and then click on "Restore". The right window pane becomes the Restore Browser. The bar above this image is the browser bar (see Figure 7).
Figure 7: ARCserve Restore Browser
Choose the Source
The source contains the directory/file(s) to be restored. Click on the “Source” tab in the Restore Browser. In the dropdown menu under the Source heading, select “Restore by Session” and select your source based on the most recent session (as shown in Figure 7). In this case, the media with the restore files we want are under "Session 00005". From here, the "My Documents" folder has been selected from media ID:5D6F by clicking on the green box next to the session number and directory path. The box becomes solid green when it and all subdirectories are selected. The session contains all directories and a single archive file.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
18
Pre/Post Options
Specify the name of the script that will decrypt the restored files after the backup has been retrieved, as shown in Figure 8.
Figure 8: ARCserve Restore Options
Run the Job
Press the "Start" button in the browser bar to run the restore job. ARCserve will restore the archived files to their original location. PGP Command Line will then decrypt the archive file and place each file in its original location. In addition, there will be a "log.txt" file with the decryption status plus some "desktop.ini" files with path information for each directory. You can delete both of these files, if desired.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
19
EMC 2 Legato NetWorker EMC Legato NetWorker 7.3 should be installed on a Windows 2000 or Windows 2003 server. By modifying your default.res (default backup group), you will configure an EMC Legato NetWorker client to execute your pre and postbackup batch files.
You can customize a client’s scheduled backups in either of two ways. We will use the savepnpc option by creating a script that invokes the Save program as part of its instructions. When the client is backed up, the customized program is invoked instead of the standard save program. See "Using the Save Command with a Customized Backup Program" on page 82 of your EMC Legato NetWorker 7.3 Administrator’s Guide.
Enter “savepnpc” in the backup command attribute of the client resource. The first time the client is backed up, savepnpc creates a default backup program file, which you can then customize for future backups of the client. See "Using the savepnpc Command with a Customized Backup Program" on page 88 of the EMC Legato NetWorker 7.3 Administrator’s Guide.
Creating a Customized Backup Program
As an alternative to using the Save program with a custom script, use the savepnpc program. The savepnpc program differs from a custom script with the Save program in that preprocessing and postprocessing commands execute only once during the client backup, instead of once for each Save set. This setup can be useful if the client is running a database or other program that should be stopped before the client is backed up, and then restarted after the backup has completed. The options for the savepnpc command are identical to those for the Save command. For more information about the savepnpc command, refer to the EMC Legato NetWorker 7.3 Administrator’s Guide.
To execute the savepnpc program:
1. From the Administration window, click “Configuration”.
2. In the expanded left pane, select “Clients”.
3. Create a new Client resource or select an existing Client for editing.
4. Select the “Apps & Modules” tab.
5. In the “Backup Command” attribute, enter savepnpc.
6. Back up the client.
The first time a backup group with a client that uses savepnpc runs, a standardized <groupname>.res file is created.
The <NetWorker_install_path>\nsr\res directory on the client has the same groupname as the name in the Group resource selected for that client. If the client belongs to multiple backup groups, a separate <groupname>.res file is created for each group to which the client belongs. The initial <groupname>.res file contains a default backup type, preprocessing, postprocessing, timeout, and abort precmd attributes. The abort precmd attribute only applies to UNIX. We will also disregard the timeout attribute, which is nulled out with a “#” symbol in front of the command.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
20
Modifying Your default.res File In this example, a C:\pgp directory is used to store all command files. Modify the default.res file located in the following directory: <NetWorker_install_path>\nsr\res. This modification will execute your prebackup.cmd batch file prior to your backup and create a prebackup.log for troubleshooting in your c:\pgp directory. This modification will execute your postbackup.cmd command file after your backup and create a log file for troubleshooting.
type: savepnpc; precmd: "c:\\pgp\\prebackup.cmd > c:\\pgp\\prebackup.log 2>&1"; pstcmd: "c:\\pgp\\postbackup.cmd > c:\\pgp\\postbackup.log 2>&1"; #timeout: "12:00:00"; abort precmd with group: No;
Executing Your Backup in EMC Legato NetWorker client Your EMC Legato NetWorker client is now configured to encrypt your data.
Run a backup from your NetWorker client Interface. The backup will automatically use your default.res configuration to encrypt your data files prior to backup, delete your unencrypted data files, and then delete your encrypted files after backup.
Troubleshooting the Encryption of Your Data If after your backup execution, your data directory still has your unencrypted data files, refer to the log files specified in the command file to determine if an error occurred during the encryption or in your command file. You can also refer to the defaultres.log file to determine if there was an error executing the pre and postcommand files. The defaultres.log is located in <NetWorker_install_path>\nsr\logs.
Restoring Your Encrypted Data and Decrypting Your Data Files Run a restore from your NetWorker client interface. The EMC Legato NetWorker client does not have a feature to automatically run postrestore command batch files. You will have to run the post restore.cmd file manually to decrypt your restored data. This batch will also delete your encrypted ._pgp files after the decryption.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
21
Symantec Backup Exec for Windows 10d Backup Exec should already be installed on a Windows server. The backup and restore jobs defined inside of Backup Exec will only refer to encrypted PGP files. Properties for the backup job and the restore job will be modified.
By default, Backup Exec runs under a unique username, NTBackupAdmin. Because PGP Command Line was installed by a different user, it is critical that the location of the license, keyring, and other files are explicitly defined, as described in the “Command Files” section of this guide, beginning on page 8.
Backup Job From the “Backup Properties” of the job, select “Pre/Post Commands”, as shown in Figure 9:
Figure 9: Define Backup Properties
Options If PGP Command line fails for any reason, it will return a nonzero error code. This error code can be detected by Backup Exec. For example, the second checkbox would ensure that if prebackup.cmd failed to find the target files, Backup Exec would not attempt to stream anything to tape. Similarly, the third checkbox ensures that the postbackup.cmd will not delete the encrypted archive if the tape was not placed into the backup server’s tape drive.
Note the last pair of radio buttons (“Run these commands”) shown on Figure 9. These commands must be run on this media server and would fail on other servers that do not have PGP Command Line installed.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
22
Restore Job From the “Properties” of the job, select “Pre/Post Commands”, as shown in Figure 10. Note that no precommand is required. The encrypted archive will be restored to its original location. The post restore.cmd file will decrypt the archive, restore the original file, and delete the encrypted archive.
Figure 10: Define Restore Properties
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
23
PGP Command Line Troubleshooting
Antivirus Software Some antivirus software (such as Norton AntiVirus 2004) has script blocking components that can prevent PGP Command Line scripts from running. Script blocking must be disabled for PGP Command Line scripts to operate.
Isolation
Ensure you have tried the following:
• The --status-file creates a log file. Check the log file for error messages.
• From a command interpreter window, run the command manually. Use --verbose instead of --status-file to watch PGP Command Line’s progress.
• Perhaps someone else has had the same problem; check for a discussion of similar issues in the PGP Support Forums: http://forums.pgpsupport.com
• Search the PGP Command Line User’s Guide provided with PGP Command Line.
• Depending on your license, you may be eligible for PGP Support.
Error Code 1001:could not open keyrings, file not found Encryption and decryption will fail if your key cannot be found. To see the contents of the default keyrings, use pgp –list-keys.
By default, the --gen-key command places keys in the “\My Documents\PGP” folder of the user who created the key. The two keyring files are named pubring.pkr and secring.skr. The command files can explicitly list the location of these files to ensure they will be located.
To check the keys for a specific user, enter the following:
pgp –-list-keys --home-dir "C:\Documents and Settings\Bob
Admin\Application Data\PGP Corporation\PGP"
Error Code 3083:could not create output file This error most commonly occurs when the file you are attempting to create already exists. Delete the target file or use the --overwrite remove flag.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
24
Error Code 2713:no license has been entered PGP Command line will fail if the license cannot be found or has expired. Check the status of your license using pgp --version --verbose | more
If you have already licensed PGP Command Line successfully, it is likely that you need to point the commands in your scripts to the right location. Point the home directory to the default location for the license by adding the command flag:
--home-dir "C:\Documents and Settings\Bob Admin\Application Data\PGP
Corporation\PGP"
The foregoing directs PGP Command Line to a specific location for the license information.
PGP Command Line 9.0.x – Backup Integration Configuration Guide
© 2006 PGP Corporation. All Rights Reserved. CL9BUINCG060503 APPROVED FOR EXTERNAL DISTRIBUTION
25
PGP Corporation 3460 West Bayshore Road Palo Alto, CA 94303 USA Tel: +1 650 319 9000 Fax: +1 650 319 9001 Sales: +1 877 228 9747 Support: support.pgp.com www.pgp.com
© 2006 PGP Corporation
All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form by any means without the prior written approval of PGP Corporation.
The information described in this document may be protected by one or more U.S. patents, foreign patents, or pending applications.
PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.
The information in this document is provided “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or noninfringement.
This document could include technical inaccuracies or typographical errors.
Changes to this document may be made at any time without notice.