Should I use software or hardware encryption?

Backup Exec supports both hardware and software encryption for backups, but what’s the difference, and which should you choose?

Hardware encryption is available only with backup devices that can do encryption on the backup device. In practice, this means LTO4 and LTO5 drives. If you have one of these drives, and you want your backups encrypted, then you can enable hardware encryption for your backups. The disadvantages of hareware encryption are:

  • Because the data is encrypted at the backup device, the data crosses the network unencrypted.

Software encryption is available on all backup devices. When you run a backup with software encryption, the encryption takes place at the Remote Agent. This means that the data is encrypted as it passes over the network to the Backup Exec Media Server. When using software encryption, you should enable software compression for your backup jobs. This is because encrypted data doesn’t compress well, and if you use hardware compression, the compression takes place on the backup device, after the data has been encrypted. Software compression takes place on the Remote Agent, before encryption takes place, so the data should be more compressible. The disadvantages of software encryption are:

  • Because it takes place on the Remote Agent, there may be a performance impact on your backup speed.

Needless to say, if you use encryption, you should ensure that your encryption passphrase is well protected, as if you lose your Media Server, you’ll need the passphrase to perform a restore.