Encryption Management Server cannot restore from backup

book

Article ID: 184839

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

When trying to restore Encryption Management Server from a backup, the restore fails with an out of memory error.

The backup log contains an error similar to this:

Failed to decrypt backup archive "keys.example.com-backup-01-07-20-03-21-45.tar.gz.pgp": out of memory

Cause

In releases 3.4.2 MP1, 3.4.2 MP2, 3.4.2 MP3 and 3.4.2 MP4 the backup file is decrypted wholly in RAM and there is a 4 GB limit.

Environment

Symantec Encryption Management Server releases 3.4.2 MP1, 3.4.2 MP2, 3.4.2 MP3 and 3.4.2 MP4 with backup encryption enabled and backup sizes of 3 GB or above.

Resolution

Upgrade to Encryption Management Server 3.4.2 MP5 or above.

If you cannot upgrade, there are three options to workaround this issue:

  1. Disable encryption of backups.
  2. Decrypt the backup file with Symantec PGP Command Line release 10.4.2 or below, transfer the decrypted file back to Encryption Management Server and restore using the command line. Note that only release 10.4.2 or below is likely to decrypt successfully. See article TECH257113.
  3. Decrypt the backup file with Symantec Encryption Desktop release 10.4.2 MP4 or above, transfer the decrypted file back to Encryption Management Server and restore using the command line. Note that Encryption Desktop 10.4.2 MP1, 10.4.2 MP2 and 10.4.2 MP3 will not be able to decrypt the file. See article TECH253160. Note too that Encryption Desktop is significantly slower than PGP Command Line. It may take around 10 minutes per GB to decrypt the backup file, especially if it is on a network share.

Option 1 - Disable encryption of backups

  1. Login to the Encryption Management Server administration console.
  2. Click on System / Backups.
  3. Click on the Backup Location button.
  4. Disable the option Encrypt backups to the Organization Key.
  5. Enable the option Enable backup file compression.
  6. Click the Save button.

Option 2 - Decrypt the backup with Symantec PGP Command Line release 10.4.2 or below

  1. Install PGP Command Line.
  2. Export the keypair of the Organization Key from Encryption Management Server.
  3. Import the Organization Key into PGP Command Line. For example, use this command where orgkey.asc is the Organization Key keypair:
    pgp --import orgkey.asc
  4. Download the *.pgp backup file to the local drive of the machine running PGP Command Line or to a network share that is mapped to a drive letter.
  5. Decrypt the backup file. For example, use this command if the backup file is keys.example.com-backup-01-07-20-03-21-45.tar.gz.pgp:
    pgp --decrypt keys.example.com-backup-01-07-20-03-21-45.tar.gz.pgp
  6. Upload the *.tar.gz file to the /root directory of Encryption Management Server using scp.
  7. Log in to the Encryption Management Server administration console and under System / Backups, click on the Backup Location button and enable the option Save backups on this Symantec Encryption Server if it is not already enabled, then click Save.
  8. Connect to Encryption Management Server using SSH and enter this command to restore where keys.example.com-backup-01-07-20-03-21-45.tar.gz is the decrypted backup file:
    pgpbackup -r keys.example.com-backup-01-07-20-03-21-45.tar.gz
  9. Delete the Organization Key from the PGP Command Line keyring using the pgp --remove-key-pair command.

Option 3 - Decrypt the backup with Symantec Encryption Desktop release 10.4.2 MP4 or above

  1. Install Encryption Desktop on a system that does not already have Encryption Desktop installed. Note that you do not need to enter a license key.
  2. Export the keypair of the Organization Key from Encryption Management Server.
  3. Import the Organization Key into Encryption Desktop.
  4. Download the *.pgp backup file to the local drive of the machine running Encryption Desktop or to a network share.
  5. Open Windows Explorer and right click on the *.pgp file, then select Symantec Encryption Desktop / Decrypt & Verify.
  6. Upload the *.tar.gz file to the /root directory of Encryption Management Server using scp.
  7. Log in to the Encryption Management Server administration console and under System / Backups, click on the Backup Location button and enable the option Save backups on this Symantec Encryption Server if it is not already enabled, then click Save.
  8. Connect to Encryption Management Server using SSH and enter this command to restore where keys.example.com-backup-01-07-20-03-21-45.tar.gz is the decrypted backup file:
    pgpbackup -r keys.example.com-backup-01-07-20-03-21-45.tar.gz
  9. Open Encryption Desktop and delete the Organization Key from the keyring.