If you protect a vault with encryption, anything written to the vault will be encrypted and anything read from it will be decrypted transparently by the storage node, using a vault-specific encryption key stored on the node. If the storage medium is stolen or accessed by an unauthorized person, the malefactor will not be able to decrypt the vault contents without access to the storage node.
This encryption has nothing to do with the archive encryption specified by the backup plan and performed by an agent. If the archive is already encrypted, the storage node-side encryption is applied over the encryption performed by the agent.
To protect the vault with encryption 1. Select the Encrypt check box.
2. In the Enter the password field, type a password.
3. In the Confirm the password field, re-type the password.
4. Select one of the following:
AES 128 – the vault contents will be encrypted using the Advanced Encryption Standard (AES) algorithm with a 128-bit key
AES 192 – the vault contents will be encrypted using the AES algorithm with a 192-bit key
AES 256 – the vault contents will be encrypted using the AES algorithm with a 256-bit key.
5. Click OK.
The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the longer it will take for the program to encrypt the archives stored in the vault and the more secure the archives will be.
The encryption key is then encrypted with AES-256 using a SHA-256 hash of the password as a key.
The password itself is not stored anywhere on the disk; the password hash is used for verification purposes. With this two-level security, the archives are protected from any unauthorized access, but recovering a lost password is not possible.
127 Copyright © Acronis, Inc.
4.1.2.2 Creating an unmanaged centralized vault
To create an unmanaged centralized vault, perform the following steps.Vault
Name
Specify a unique name for the vault. The creation of two centralized vaults with the same name is prohibited.
Comments
Enter the distinctive description of the vault.
Type
Select the Unmanaged type.
Path (p. 127)
Specify where the vault will be created.
After you have performed all the required steps, click OK to commit creating the unmanaged centralized vault.
Vault path
To specify the path where the unmanaged vault will be created
1. Enter the full path to the folder in the Path field or select the desired folder in the folders tree.
Unmanaged vaults can be organized:
Acronis Online Backup Storage
on a network share
on a Storage Area Network (SAN)
on a Network Attached Storage (NAS)
on FTP and SFTP servers.
According to the original FTP specification, credentials required for access to FTP servers are transferred through a network as plaintext. This means that the user name and password can be intercepted by an eavesdropper using a packet sniffer.
To create a new folder for the vault, click Create folder.
A vault can be created in an empty folder only.
2. Click OK.
4.1.2.3 Attaching a managed vault
A vault managed by a storage node can be attached to another storage node. You might need to do so when retiring storage node hardware, when the storage node is lost or when balancing loads between storage nodes. As a result, the first node stops managing the vault. The second node scans archives in the vault, creates and fills up the database corresponding to the vault, and starts
managing the vault.
When deleting a managed vault, you have the option to retain archives contained in the vault. The location resulting from such deletion can also be attached to the same or another storage node.
Personal or centralized unmanaged vaults cannot be attached.
128 Copyright © Acronis, Inc.
To attach a managed vault to a storage node, perform the following steps.
Vault
Storage node
Select the Acronis Backup & Recovery 10 Storage Node that will manage the vault.
Path
Specify the path to the location where the archives are stored.
Database path
Specify a local folder on the storage server to create a vault-specific database. This database will store the metadata required for cataloguing the archives and performing deduplication.
Password
For the vault that was encrypted, provide the encryption password.
After you have performed all the required steps, click OK to commit to attaching the vault. This procedure may last for quite a while since the storage node has to scan the archives, write the metadata in the database, and deduplicate the archives if the vault was originally deduplicating.
4.1.3 Tape libraries
This section describes in detail how to use robotic tape devices as vaults for storing backup archives.
A tape library (robotic library) is a high-capacity storage device that contains the following:
one or more tape drives
multiple (up to several thousand) slots to hold tape cartridges
one or more loaders (robotic mechanisms) intended for relocating the tape cartridges between the slots and the tape drives
barcode readers (optional).
4.1.3.1 Overview
Acronis Backup & Recovery 10 provides full support of a tape library through Acronis Backup &
Recovery 10 Storage Node. The storage node should be installed on the machine a tape library is attached to. Storage node can simultaneously use more than one tape library for keeping archives.
To manage a tape library media, the storage node uses the Windows Removable Storage Manager (RSM). See the RSM Media Pools (p. 130) section for more information.
A dedicated database of the storage node keeps information of the backup content written onto the tapes. So some operations (for example, Cleanup (p. 390)) can be performed quite fast without accessing the media. It is possible to view the content of a backup archive located on a tape through the console, even if a tape library is turned off, due to content information stored in the database. To create an incremental or differential backup of data, the program uses the database instead of loading, mounting, rewinding and reading a tape with the full data backup. However, a tape should be read, for example, to validate (p. 399) a backup or to recover data from a backup.
A tape library can be locally attached to a machine the agent is installed on, but only in the case the library is considered as a single tape drive. The agent can use such device to write and read data backups, but the backup’s format differs from the format of the backups on the tapes written through the storage node. To get information about the readability of the archives on tapes, written
129 Copyright © Acronis, Inc.
by different components of other versions of the product by means of Acronis Backup & Recovery 10, see the Tape compatibility table (p. 44) section.
Acronis Backup & Recovery 10 enables you to set up distribution of backups by media. For example, a separate tape set can be used to back up some specific data, and the backups of all other data will be written onto any currently mounted tape, which does not belong to the tape set. See the Tape support (p. 108) section for more information.
The backup schemes (Grandfather-Father-Son (p. 33), Tower of Hanoi (p. 37)) considerably assist you with creating effective schedule and retention rules for backups on a tape library. In combination with the tape options, the backup schemes enable you to reuse, in automatic mode, the tapes that are considered as free after backup deletion. See the Tape rotation (p. 136) section for more information.
4.1.3.2 Hardware
A tape library (robotic library) is a high-capacity storage device that contains the following:
one or more tape drives
multiple (up to several thousand) slots to hold tape cartridges
one or more loaders (robotic mechanisms) intended for relocating the tape cartridges between the slots and the tape drives
barcode readers (optional).
Each tape may have a special label attached to the side of a cartridge and comprise of:
a barcode to scan by a special reader that is usually mounted on a loader
a readable barcode digital value.
Such labels are used for tape identification in a tape library or especially in off-site storage.
If all cartridges in a tape library have barcodes, the library is ready to be automatically managed by software.
Tape libraries are a cost-effective solution for data storages with huge capacity. Moreover, tape is perfect for archiving because cartridges can be stored off-site for enhanced data security. However reading even a small amount of data from a tape library takes much more time (from several seconds to several minutes) than from other types of data storages. The best practice of tape usage is "LESS requests to write/read LARGER amount of data". So systematic access to very large quantities of data is more suitable for a tape library than random access to small portions of data.
4.1.3.3 Limitations
Limitations of tape library usage are the following:
1. The consolidation (p. 391) operation is not possible for archives located on tapes. Deletion of a single separate backup is impossible from a tape. It is possible to delete all the backups stored on a tape. However, after this operation all the incremental and differential backups, stored on other tapes and based on the deleted backups, cannot be used for data recovery. In a Custom backup plan's retention rules the If deletion of a backup affects other backups > Consolidate the backup option is disabled. Only the Postpone the deletion option is available.
2. Deduplication (p. 391) is not available for archives located on tape storage devices.
3. File recovery from a disk backup stored on tape is possible, but can take a very long time.
130 Copyright © Acronis, Inc.
4. A tape with backups written by the storage node cannot be read on a tape device, locally attached to a machine, the agent is installed on, because of a difference in tape format. To get information about the readability of the archives on tapes, written by different components of other versions of the product by means of Acronis Backup & Recovery 10, see the Tape
compatibility table (p. 44) section.
5. Barcode printers are not used.
4.1.3.4 RSM Media Pools
Acronis Backup & Recovery 10 uses Windows Removable Storage Manager (RSM) to manage tape cartridges belonging to tape libraries.
To separate access to media by different programs the RSM uses so called Media Pools that are logical media groups. There are two categories of media pools in the manager: System and Application.
System media pools include Free pool, Import pool and Unrecognized pool. The System pools hold media that are not currently used by applications. The Free pool holds media that are considered as free and can be used by applications. The Import and Unrecognized pools are temporary pools for media that are new in certain library.
Through RSM an application can get its own pools with proper names, move media from the Free pool into its own pools, use its own pools’ media for correct purpose, return media to the Free pool, etc.
Acronis Backup & Recovery 10 Storage Node manages the tapes belonging to the Acronis pool.
If you fill tape library slots with unused tapes, all the tapes will be included into the Free pool automatically.
If a tape was used previously, the RSM tries to detect the registered application the tape is
concerned to. If the application is not found, the RSM will move the tape into the Unrecognized pool.
If the application is not found, but the RSM database has no information about the tape, it will be moved into the Import pool. If the RSM database has the information, the tape moves into its own pool of the application.
Acronis Backup & Recovery 10 Storage Node provides the RSM to detect the tapes written by Acronis True Image Echo, Acronis True Image 9.1 product families and by components of Acronis Backup &
Recovery 10. The storage node will locate all tapes written in “Acronis” format into the Acronis pool at the Inventory (p. 134) operation.
Acronis Backup & Recovery 10 components don’t use the Unrecognized pool. To utilize a tape from this pool forcibly, move the tape to the Free pool using the Removable storage snap-in (Control panel > Administrative tools > Computer management > Removable storage > Media pools).
If a tape has moved into the Free pool, it is considered as free and will be accessible to write by any application.
So the tape data will be lost.
If all the backups are deleted from a tape, it will not return to the Free pool. It remains in the Acronis pool as a free tape to be reused. So if a storage node needs a new tape, it finds a free tape first in the Acronis pool, then in the Free pool.
Thereinafter Acronis Backup & Recovery 10 Storage Node deals only with the tapes belonging to the Acronis pool.
131 Copyright © Acronis, Inc.
4.1.3.5 Getting started with a tape library
If you have a tape library device attached to a machine with Acronis Backup & Recovery 10 Storage Node installed, all you need to do to back up onto the tape library is to create an archive vault on the device under storage node management.
Prerequisites
A tape library device has to be installed on a machine running Windows in accordance with the device manufacturer’s installation instructions.
If Removable Storage Manager (RSM) is present in your version of Windows, it must be activated.
In Microsoft Windows XP and Microsoft Windows Server 2003:
Removable Storage Manager is part of the operating system and is activated initially.
To activate Removable Storage Manager in Microsoft Windows Server 2008:
1. Click Administrative Tools > Server Manager > Features > Add Feature.
2. Select the Removable Storage Manager check box.
To activate Removable Storage Manager in Microsoft Windows Vista:
1. Click Control Panel > Programs > Programs and Features > Turn Windows features on or off.
2. Select the Removable Storage Management check box.
Fill the library slots with tape cartridges. If a tape does not get a barcode or its barcode is corrupted, you can define the tape label for identification purposes later.
You should have Acronis Backup & Recovery 10 Management Server and Acronis Backup & Recovery 10 Management Console installed on local or remote machines, as well as Acronis Backup &
Recovery 10 Storage Node, installed on the machine with the tape library device, and registered in the management server.