HOW TO: Configure the Backup Location and schedule for Encryption Management Server

book

Article ID: 180249

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Symantec Encryption Management Server has a feature to backup all data so in the event of hardware\system failure, the backup can be restored and will restore the server to the same state before the failed event.

This article will cover the basics of backing up the server.

Resolution

This article provides instructions on how to configure the backup location for Encryption Management Server (AKA PGP Universal Server)

TIP: When backup is taken, you need roughly 5 times the amount of free space as your database.  For new environments, the database will be very small, but can build up over time.  If your database is 1GB, then to make a backup, make sure you have at least 5GBs free space on the system.  This is a very simple example and servers should have well beyond 5GBs free space.  This is to illustrate only how much free space should be available.  If in doubt, contact Symantec Encryption Support for further assistance.

 

Configuring the Backup Schedule

The SEMS backups can be configured by navigating to System\Backups within the SEMS UI.   To configure the Backup Schedule, click the "Backup Schedule..." button and the following windows will appear:

This is a fairly straightforward window where you can configure the days and time of day to perform backups.  Staggering your backup schedule may be beneficial for clustered environments so all of the cluster members are not backing up at the same time.  For example, one server could backup every day at 7PM, another at 8PM and another at 9PM.  This is all dependent on what time will work best.  Configure the appropriate settings and click Save.

Caution: If you have any custom scheduled tasks configured in crontab, changing any of these values can reset your crontab to the default values. See the following article for more information on this:

214963 - Symantec Encryption Management Server modifications can cause crontab entries to be reset to default values

 

Configuring the Backup Location

By default, backups are saved to the local disk on Encryption Management Server (not recommended for long-term operation).

Symantec Enterprise Division highly recommends specifying another location off the server to save backup files to using either FTP or SCP.

When the backup job is preformed, backup files are then automatically sent to that location via FTP or SCP. If you change your backup location, you cannot restore from backups stored on the old location, even though the backup files still appear listed on the System Backups page.

Note: If your remote host is temporarily unavailable, the backup file is stored on the Symantec Encryption Management Server until the host becomes available. Make sure that you get the backup file from the host in binary format, not ASCII.

As mentioned above, even if you are saving backups to FTP or SCP, you need at least 5 times the free space as the size of the database because all backups are created locally, archived, then encrypted, and then delivered to the remote location for final storage. 

The following is a screenshot of the Backup Location page for SEMS 10.5 and above:

You will notice all the expected values, but notice the compression options.  In SEMS 10.5, you can configure whether you want backups to be larger, or smaller.  The larger the backups, the faster the backups will complete, but the more storage these will take (requiring about 5 times the size of your database at minimum).

The slower the backups, the more compressed they can be.  It's a good idea to test which is preferred and best for your environment.

 

To configure the backup location

  1. Log into the Encryption Management Server administrative interface.
  2. On the System > System Backups screen, click Backup Location. The Backup Location dialog box appears.
  3. Choose Save backups on this Symantec Encryption Management Server or to have backups saved to a remote location, select Save backups to a remote location.
  4. Select FTP, SCP Password Authentication, or SCP Keypair Authentication.

    Caution: You cannot use FTP to back up large amounts of data as the backup will fail. If you have 3 GB or more data to back up, do not use FTP.
     
  5. Type the backup location hostname in the Hostname field.
  6. Type the port number in the Port field. The default FTP port is 21. The default SCP port is 22.
  7. Specify a Directory to which to save the backup. The default backup directory is the FTP or SCP home directory for the username you choose.  Example: /backups/pgp/  (You can verify this with WinSCP)
  8. Type a valid login name for the location you are saving the backup to in the Username field.
  9. Type a valid passphrase for the login name you specified in the Passphrase field.
  10. If you chose SCP Keypair Authentication, import an SSHv2 Key by clicking the Add icon. The Update SSH Key dialog box appears.

    1. If you do not have an SSH keypair, choose Generate and Import New Key. Select the appropriate key size and type.
    2. If you already have an SSH keypair, choose Import Key File, import your keypair, and type a passphrase.
    3. Click Import. The Update SSH Key dialog box disappears and the keypair appears in the Backup Location dialog box.
       
  11. Type a name for your backup files in  the Backup Name field.
  12. Specify if you want to Encrypt backups to the Organization Key.

    Note: Backing up data is much faster if you do not encrypt and compress the backup file, but your backup files will be less secure and require more disk space.
     
  13. Specify if you want to Enable file compression. Backup files are saved in binary format normally, which is compressed, but you can choose this option to compress the file further.
  14. Specify how many backups you want to save at a time. Once you have saved that number of backups, the newest backup overwrites the oldest backup file.
  15. Click Save. The Backup Location dialog box disappears.

You can download your SSH keypair and place the public part of the key onto another server to use to validate logins on that server.

 

Troubleshooting:

*If SEMS is not delivering the backup to the expected location, attempt to use WinSCP and configure all the same credentials to see if you can browse to the expected location.

*Linux is recommended for remote SCP backup as some 3rd party SCP solutions for windows may not work as expected .

*Some 3rd party SCP solutions for Windows may fail if the backup size exceeds 2GBs.

*Some 3rd party Windows solutions may not remove old backups even if the option "Keep at most 5 scheduled backups” is set as expected.  Always ensure delete permissions is available for the user making the backups.


Attachments