Transcript
NetVault®: Backup Encryption Plugin
version 2.0 Version: 2.0Product Number: NVG-122-2.0-EN-02
User’s Guide
NVG-122-2.0-EN-02 01/05/10
Copyrights NetVault: Backup Encryption Plugin User’s Guide Software Copyright © 2009 BakBone Software Documentation Copyright © 2009 BakBone Software This software product is copyrighted and all rights are reserved. The distribution and sale of this product are intended for the use of the original purchaser only per the terms of the License Agreement. All other product trademarks are the property of their respective owners. The NetVault: Backup Encryption Plugin User’s Guide documentation is copyrighted and all rights are reserved. This document may not, in whole or part, be copied, photocopied, reproduced, translated, reduced or transferred to any electronic medium or machine-readable form without prior consent in writing from BakBone Software. THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. THIS PUBLICATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED INTO NEW EDITIONS OF THE PUBLICATION. BAKBONE SOFTWARE MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS PUBLICATION AT ANY TIME. © 1999-2009 BakBone®, BakBone Software®, NetVault®, Application Plugin Module™, BakBone logo®, Integrated Data Protection™, NetVault: SmartDisk™, Asempra®, FASTRecover™, ColdSpark® and Spark Engine™ are all trademarks or registered trademarks of BakBone Software, Inc., in the United States and/or in other countries. All other brands, products or service names are or may be trademarks, registered trademarks or service marks of, and used to identify, products or services of their respective owners.
BakBone Software 9540 Towne Centre Drive, Suite 100 San Diego, California 92121 866.484.2663
Table of Contents Chapter 1: Introduction • • • • •
5
NetVault: Backup Encryption Plugin – At a Glance ....................................................... 5 Target Audience ................................................................................................................ 5 Recommended Additional Reading ................................................................................ 6 Technical Support ............................................................................................................. 6 Documentation Updates ................................................................................................... 6
Chapter 2: Strategy
7
• Encryption Strategy Overview ......................................................................................... 7 -
Selecting Which Backups to Encrypt ............................................................................................... 7 Selecting Encryption Algorithms ...................................................................................................... 9 Encrypting Primary Backups vs. Secondary Copy Backups .......................................................... 10 Encrypting All Backups vs. Job-Level Encryption .......................................................................... 11
• Deployment Overview .................................................................................................... 12
Chapter 3: Installation
13
• Limitations ....................................................................................................................... 13 • Installation Procedure .................................................................................................... 13 • Removing Encryption Plugin ......................................................................................... 14
Chapter 4: Configuration
15
• Configuring the Encryption Plugin ............................................................................... 15 - Enabling Encryption for All Backups .............................................................................................. 15 - Disabling Encryption for All Backups ............................................................................................. 17
4
Table of Contents
Chapter 5: Backup
19
• Encryption for All Backups ............................................................................................19 • Job-Level Encrypted Backups .......................................................................................19 - Encrypting Primary Backups .......................................................................................................... 20
• Encrypting Secondary Copies .......................................................................................21
NetVault: Backup Encryption Plugin User’s Guide
5
Chapter 1:
INTRODUCTION
1.1.0
NetVault: Backup Encryption Plugin – At a Glance
Target Audience
Recommended Additional Reading
Technical Support
Documentation Updates
NetVault: Backup Encryption Plugin – At a Glance NetVault: Backup's Encryption Plugin provides CAST-128, AES-256 and CAST-256 algorithm support options to meet regulatory requirements without sacrificing backup windows or deduplication performance. When installed on the NetVault: Backup (NVBU) Client, the NVBU Encryption Plugin encrypts and transfers data across the network to the backup device, where it remains encrypted until restored to the NVBU Client. If encryption is only required for secondary storage, NetVault: Backup’s job-level encryption offers the choice of encrypting only the secondary copy while the primary backup remains unencrypted to shrink the backup window. When using NetVault: SmartDisk’s deduplication, NetVault: Backup’s job-level deduplication allows you to separate deduplicated from non-deduplicated unencrypted data for optimal deduplication ratios and performance.
1.2.0
Target Audience This guide is intended for Administrators and other technical personnel who are responsible for adding and managing backup devices in a NetVault: Backup environment. Familiarity with encryption solutions is assumed.
6
Chapter 1 Introduction
1.3.0
Recommended Additional Reading
NetVault: Backup Installation Guide – This guide provides complete details on installing the NVBU Server and Client software.
NetVault: Backup Administrator’s Guide – This guide describes how to use NVBU and provides comprehensive information on all NVBU features and functionality.
NetVault: Backup Configuration Guide – This guide explains how to change the preferences and default settings for NVBU.
You can download these guides from the BakBone website at the following address: http://www.bakbone.com/documentation
1.4.0
Technical Support BakBone Software is dedicated to providing friendly, expert advice to NetVault customers. Our highly trained professionals are available to answer your questions, offer solutions to your problems and generally help you make the most of your NetVault purchase. Log on to our web site for more information: http://support.bakbone.com
1.5.0
Documentation Updates For the latest documentation updates, refer to the BakBone Software Knowledge Base. BakBone's Knowledge Base article for the Encryption Plugin v2.0 can be found at the following link: http://kb.bakbone.com/5299
NetVault: Backup Encryption Plugin User’s Guide
7
Chapter 2:
STRATEGY
2.1.0
Encryption Strategy Overview
Selecting Which Backups to Encrypt
Selecting Encryption Algorithms
Encrypting Primary Backups vs. Secondary Copy Backups
Encrypting All Backups vs. Job-Level Encryption
Deployment Overview
Encryption Strategy Overview When defining an encryption strategy you must determine:
2.1.1
Which backups will be encrypted.
Which encryption algorithm is required.
Whether encryption is required for primary backups and/or secondary backups.
Whether encryption will be enabled for all backups or on a per-job basis.
Selecting Which Backups to Encrypt The NVBU Encryption Plugin performs software-based encryption. The backup stream is encrypted using the selected algorithm by the NVBU Server or the Heterogeneous Client where the Encryption Plugin is installed. The encrypted data stream is transferred over the network to the backup device where it remains encrypted. During a restore, the encrypted backup is transferred from the backup device to the targeted NVBU Server or Heterogeneous Client, where the Encryption Plugin installed on the Heterogeneous Client performs the decryption. Note: Installing the Encryption Plugin on the NVBU Server is only required to encrypt the backups that originate from the NVBU Server, such as NVDB backups. For example, it is not required to encrypt SQL Server APM backups that originate on a Heterogeneous Client running the SQL Server APM.
8
Chapter 2 Strategy
Figure 2-1: Encrypted Backup/ Restore Path
Since the encryption and decryption is performed by the Encryption Plugin installed on the NVBU Server or Heterogeneous Client, the encryption process requires resources on the NVBU Server or Heterogeneous Client to actually perform the encryption/decryption process. Additionally, the encryption process will lengthen the time it takes to perform the backups while the decryption process will lengthen the time it takes to perform the restore. The impact to the performance of the Heterogeneous Client, backup window, and restore time should be considered when deciding which backups need to be encrypted. In summary, backups should only be encrypted when security requirements outweigh the impact to performance, backup windows, and restore times. Note: When an encrypted backup is performed, the backup index will not be encrypted.
NetVault: Backup Encryption Plugin User’s Guide
2.1.2
9
Selecting Encryption Algorithms The Encryption Plugin provides multiple algorithms that can be used to encrypt and decrypt backups. The available encryption algorithms are divided into two categories, the Standard Algorithms and Advanced Algorithms as detailed below. Note: NetVault: Backup encryption architecture only supports the Electronic Codebook Mode (ECB) of operation. This means that every data block is encrypted individually. If two or more consecutive blocks contain identical data, the encrypted forms of these blocks will also be identical.
2.1.2.a
Standard Encryption Algorithms The Encryption Plugin's Standard Algorithms include the CAST-128 algorithm. CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 to 128 bits, but only in 8-bit increments. For more information on CAST-128, refer to: http://en.wikipedia.org/wiki/CAST-128 The CAST-128 algorithm was previously the only available encryption algorithm and is now available as part of the Encryption Plugin's Standard Algorithm Option. The CAST-128 algorithm is available for evaluations.
2.1.2.b
Advanced Encryption Algorithms The Encryption Plugin's Advanced Algorithms currently include the CAST-256 and AES-256 algorithms. CAST-256 uses the same elements as CAST-128 but is adapted for a block size of 128 bits — twice the size of its 64-bit predecessor. Acceptable key sizes are 128, 160, 192, 224 or 256 bits. CAST-256 is composed of 48 rounds, sometimes described as 12 “quad-rounds”, arranged in a generalized Feistel network. For more information on CAST-256, refer to: http://en.wikipedia.org/wiki/CAST-256 Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. For more information on AES, refer to: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard The CAST-256 and AES-256 algorithms are available as part of the Encryption Plugin's Advanced Algorithm Option. Unlike the Standard Algorithm Option, the algorithms available as part of the Advanced Algorithm Option are not available for evaluation. CAST-256 and AES-256 are available as separate NVBU “.npk” files and are only usable when a permanent license key for the Encryption Plugin Advanced Algorithm Option is installed.
10
Chapter 2 Strategy While each NVBU Server or Heterogeneous Client can use a different encryption algorithm, all backups from a particular NVBU Server or Heterogeneous Client must use the same algorithm. The same encryption algorithm that was used during backup must be used during restores. It is possible to utilize a different algorithm from this point forward than has previously been used. However, when restoring backups that used the previous algorithm, the NVBU Server or Heterogeneous Client must be configured to specify the algorithm used by the backup in order for the restore to complete successfully. For example, if previous backups used the CAST-128 algorithm while current backups are using the AES-256 algorithm, the Encryption Plugin must be configured on the NVBU Server or Heterogeneous Client to utilize the CAST-128 algorithm when restoring a backup that was taken using the CAST-128 backup. Otherwise, the restore will fail.
2.1.3
Encrypting Primary Backups vs. Secondary Copy Backups An NVBU backup job can be split into two distinct phases: primary backup and secondary copy. The primary backup is the backup of the data stream to the targeted backup device. The secondary copy is a duplication or Data Copy of the primary backup to a different backup device which is typically for offsite protection. Typically, the primary backup is performed to local disk-based backup devices such as NetVault: SmartDisk Devices, Virtual Tape Library (VTL) or Shared Virtual Tape Library (SVTL) to enable faster restores. Secondary copies are usually targeted to remote disk-based backup devices or physical tape libraries whose tapes are stored offsite for disaster recovery purposes. Security requirements will dictate whether both the primary backups and the secondary copy backups require encryption. For example, if security demands only that backups that leave the corporate network require encryption (such as those stored on physical tapes in a remote location), then only encrypting the secondary copy backups that target the physical tape library is required. However, if security requirements dictate that data must be encrypted while it transfers across the network and/or while it is stored on a disk-based backup device — even though the disk based backup device is located within the corporate network — then encrypting both the primary backup and secondary copy backup is required. Encrypted data does not deduplicate well; therefore, encrypting only the secondary copy backup is beneficial when targeting primary backups to NVSD Devices that have the Deduplication Option enabled. This allows users to take advantage of both encryption and deduplication by deduplicating the primary backup and encrypting the secondary copy.
NetVault: Backup Encryption Plugin User’s Guide
11
Figure 2-2: Unencrypted Primary Backup vs. Encrypted Secondary Copy Backup
2.1.4
Encrypting All Backups vs. Job-Level Encryption Once the Encryption Plugin is installed, you can enable encryption for all backups for the NVBU Server on a Heterogeneous Client where the Encryption Plugin is installed, or enable encryption only for specific jobs. Job-level encryption for primary backups is beneficial when:
Not all the NVBU Plugins installed on the NVBU Server or Heterogeneous Client are compatible with the Encryption Plugin.
Not all backups from the same NVBU Server or Heterogeneous Client require encryption.
Primary backups do not require encryption while secondary backups for offsite protection do require encryption.
Primary backups are targeted to NetVault: SmartDisk (NVSD) Devices for deduplication.
The NVBU Server or Heterogeneous Client should only be configured to encrypt all its backups when:
All the NVBU Plugins installed on the NVBU Server or Heterogeneous Client are compatible with the Encryption Plugin.
All backups from the NVBU Server or Heterogeneous Client require encryption.
12
Chapter 2 Strategy
Primary and secondary backups require encryption.
Backups will be targeted to NVSD Devices for deduplication.
For a list of NVBU Plugins that are not compatible with the Encryption Plugin, refer to the NetVault: Backup Encryption Plugin Release Notes.
2.2.0
Deployment Overview The Encryption Plugin must be installed on all of the NVBU Servers and Heterogeneous Clients that will have their backups encrypted. Each Encryption Plugin requires its own machine-tied permanent license key. Each NVBU Server and/or Heterogeneous Client does not require the same encryption algorithms to be licensed, except when using the NVBU Server or a SmartClient to create encrypted secondary copies. For example, if the Heterogeneous Client is configured to use the AES-256 algorithm and the NVBU Server will be used to create the encrypted secondary copy, the NVBU Server must be configured to use the AES-256 algorithm to ensure that the secondary copy backups can be restored by the Heterogeneous Client.
Figure 2-3: Encryption Plugin Deployment Overview
NetVault: Backup Encryption Plugin User’s Guide
13
Chapter 3:
INSTALLATION
3.1.0
Limitations
Installation Procedure
Removing Encryption Plugin
Limitations Not all NVBU Plugins are compatible with the Encryption Plugin. For a list of NVBU Plugins that are not compatible with the Encryption Plugin refer to the NetVault: Backup Encryption Plugin Release Notes.
3.2.0
Installation Procedure To install the Encryption Plugin, perform the following steps: 1. Open the Client Management window on NetVault: Backup Server (click Client Management on the toolbar or Large Buttons panel, or on the Administration menu, click Client Management). 2. Locate the target Client under Clients. Right-click it, and then select Install Software.
Figure 3-1: Install Software option
14
Chapter 3 Installation 3. In the browse window, navigate to the location of the “.npk” installation files for the Encryption Plugin (on the installation CD or in the directory to which the file was downloaded from BakBone Software's web site). Depending on the operating system, the filepath for this software may vary on the installation CD. Select the appropriate package file(s). The package files are named as follows:
aes-x-x-x-x.npk
cst-x-x-x-x.npk
cst2-x-x-x-x.npk
where x-x-x-x represents the platform and version number. 4. Click Open. 5. This initiates the software installation. Click OK on the confirmation dialog. 6. Repeat steps 2–5 for each encryption algorithm desired. You can confirm that the encryption algorithms files are installed by viewing the Installed Software tab on the Client Properties dialog: 1. Right-click on the target Client under Clients and select Properties. 2. Select the Installed Software tab. The installed Encryption Plugin Algorithms will be displayed.
3.3.0
Removing Encryption Plugin The Encryption Plugin algorithm(s) can be removed in a similar manner to the installation process. Each algorithm must be removed separately. 1. Open the Client Management window on NetVault: Backup Server (click Client Management on the toolbar or Large Buttons panel, or on the Administration menu, click Client Management). 2. Locate the target NVBU Server or Heterogeneous Client under Clients. Right-click it, and then select Remove Software. 3. In the Remove Software dialog, select the Encryption Algorithm from the list of installed plugins and click Remove to start the removal process. 4. Repeat Steps 2–3 for each encryption algorithm to be removed. All algorithms must be removed to completely remove the Encryption Plugin from the NVBU Server or Heterogeneous Client.
NetVault: Backup Encryption Plugin User’s Guide
15
Chapter 4:
CONFIGURATION
4.1.0
Configuring the Encryption Plugin
Enabling Encryption for All Backups
Disabling Encryption for All Backups
Configuring the Encryption Plugin Once the Encryption Plugin is installed, you can enable encryption for all backups for the NVBU Server on a Heterogeneous Client where the Encryption Plugin is installed or enable encryption only for specific jobs. Enabling all backups for a NVBU Server or Heterogeneous Client is done via the NVBU Configurator.
4.1.1
Enabling Encryption for All Backups When enabling encryption for all backups that originate from an NVBU Server or Heterogeneous Client, job-level encryption is not possible. To enable encryption for all backups for a NVBU Server or Heterogeneous Client, perform the following steps: 1. Start the NetVault: Backup Configurator on the NVBU Server or Heterogeneous Client. 2. Select the Encryption tab. Note: The Encryption tab is not available when using Domain Management to remotely configure a machine. Encryption must be applied from the local NVBU Configurator.
16
Chapter 4 Configuration
Figure 4-1: Encryption tab in NVBU Configurator
3. Select the Encrypt ALL Backups on This Client checkbox. 4. In the Encryption Key String New Password box (on Windows)/ New String box (on UNIX/Linux), enter the password/string that will serve as the Encryption Key for the NVBU Server or Heterogeneous Client. Important Notes:
Different platforms allow varying characters and password lengths. As such, these will not be consistent from platform to platform. BakBone recommends using passwords of 32 characters or less and using characters from the following set: “A–Z”, “a–z”, “0–9”, “_”. Passwords that do not conform to these specifications may work on one platform but be invalid on another in the same environment thereby causing difficulties with Access Control.
Additionally, BakBone recommends using strong passwords — a minimum of 8 characters with at least one uppercase (A–Z), one lowercase (a–z), and one numeric (0–9) character. Adopting this as part of a defined security policy will help ensure the overall security of the NetVault: Backup product.
5. Re-enter the password/string in the Confirm Password box (on Windows)/ Confirm String box (on UNIX/Linux). 6. Click OK to apply the settings. Important: An encrypted backup can be restored to either its original location or to a new target machine. In either event, the Encryption Plugin must be installed on the target machine and it must be configured as it was when the backup occurred — using the same Encryption Key String and Encryption Algorithm.
NetVault: Backup Encryption Plugin User’s Guide
4.1.2
17
Disabling Encryption for All Backups In order to perform job-level encryption for the backups originating from an NVBU Server or Heterogeneous Client, the Encryption Plugin must not be configured for encrypting all backups. To disable encryption for all backups for a NVBU Server or Heterogeneous Client, perform the following steps: 1. Start the NetVault: Backup Configurator. 2. Click the Encryption tab. 3. Clear the Encrypt ALL Backups on This Client checkbox.
18
Chapter 4 Configuration
NetVault: Backup Encryption Plugin User’s Guide
19
Chapter 5:
BACKUP
Encryption for All Backups
Job-Level Encrypted Backups
5.1.0
Encrypting Primary Backups
Encrypting Secondary Copies
Encryption for All Backups If encryption is enabled for all backups for a particular NVBU Server or Heterogeneous Client, there are no additional requirements for encrypting backups. Refer to the backup and restore procedures in the User’s Guide for the given APM or Plugin.
5.2.0
Job-Level Encrypted Backups With job-level encryption, the primary backup, secondary copy, or both the primary backup and secondary copy can be encrypted for an individual job. Encrypting both the primary backup and secondary copy is beneficial when security requirements dictate that the backup must be encrypted while it transfers across the network and/or while it is stored on a disk-based backup device even though the disk based backup device is located within the corporate network. Job-level encryption is enabled on the Advanced Options tab of the NVBU Backup window. To access this tab, perform the following steps: 1. From the main NetVault: Backup window, click the Backup button on the toolbar or Large Buttons panel to open the NVBU Backup window. Alternatively, from the Operations menu, select Backup. 2. Select the Advanced Options tab.
20
Chapter 5 Backup
Figure 5-1: Advanced Options tab of NVBU Backup window
5.2.1
Encrypting Primary Backups To enable encryption for an individual primary backup, perform the following steps: 1. In the NVBU Backup window, click the Advanced Options tab. 2. Under Additional Options, select the Enable Encryption checkbox.
Figure 5-2: Enable Encryption checkbox
Note: To ensure that a primary backup selected for encryption is not deduplicated when targeted to NVSD Devices with the Deduplication Option, the Enable Deduplication option will be disabled for selection automatically when the Enable Encryption option is selected.
NetVault: Backup Encryption Plugin User’s Guide
5.3.0
21
Encrypting Secondary Copies With a backup job, you can choose to run a phase 2 job to create a secondary copy of the backup. NVBU supports the following methods for creating secondary copies:
Duplicate – This method creates an exact secondary copy which is linked to the original primary backup. During duplication, the copy is broken into segments and stored on the secondary backup device. During restore, segments from the primary copy and the secondary copy are interchangeable. This makes it impossible to unencrypt the primary backup and encrypt the secondary copy because it is not possible to mix unencrypted segments with encrypted segments during restore. Therefore, you cannot enable or disable encryption for a secondary copy created with the Duplicate method. If the original saveset is encrypted, the Duplicate method will create an encrypted secondary copy. If you have no encryption for the primary backup, the secondary copy will also be unencrypted.
Data Copy – This method is recommended when you want to create a secondary copy for offsite storage. Data Copying a backup breaks the backup into segments and copies the segments onto the targeted backup device. During restore, NVBU only restores the primary copy or the secondary copy. Backup segments from the primary and the secondary are not interchangeable. This enables the ability to encrypt the Data Copy, or secondary copy, while the primary copy remains unencrypted such as with deduplicated primary backups.
To create a secondary copy of a backup, perform the following steps: 1. In the Backup window, click the Advanced Options tab. 2. Under Secondary Copy, select the Create Secondary Copy checkbox. Figure 5-3: Secondary Copy options on the Advanced Options tab
3. Select one of the following copy methods:
Duplicate
Data Copy
22
Chapter 5 Backup 4. By default, the secondary job always runs on the NVBU Server. If you want to run the job on a particular Heterogeneous Client, select the Client in the Run Secondary Copy On list. This option can be used to perform local backups on SmartClients with a locally attached physical or virtual tape-based device. Important: When performing secondary copies, ensure that the NVBU Server or NVBU Client selected to run the Secondary Copy on is running NVBU v8.5 or later. 5. In the Using Schedule Set list, select the set that defines the scheduling options for the secondary job. Select Immediate if you want to run the instance immediately after the original job completes. You cannot use the Repeating or Triggered schedule types for the secondary job. If a schedule set is not available, click Manage. Configure the scheduling options on the NVBU Schedule Management window and click Save As to create the schedule set. For details on schedule sets, refer to the NetVault: Backup Administrator’s Guide. 6. In the Using Target Set list, select the set that defines the target device and media options for the secondary copy job. The original saveset and the copy cannot be stored in the same media. If a target set is not available, click Manage. Select the scheduling options in the NVBU Backup Target Management window and click Save As to create the schedule set. For details on target sets, refer to the NetVault: Backup Administrator’s Guide. Note: BakBone recommends that you designate specific tape-based drives for secondary copy jobs to prevent deadlocks. For example, if you have a library with 4 drives, you can select drives 1 and 2 for actual backups, and drives 3 and 4 for secondary copy jobs. 7. To encrypt the secondary copy, select the Encrypt Secondary Copy Only checkbox. This option is only available for the Data Copy method. Note: If the primary backup is encrypted, de-selecting the Encrypt Secondary Copy Only checkbox has no effect. Both the primary backup and the secondary copy will be encrypted. 8. To migrate data, select the Migrate checkbox. After migrating the data, NVBU deletes the index for the original backup.
NetVault: Backup Encryption Plugin User’s Guide
23
Note: With the File System Plugin, the Migrate option is only supported for Full Backups that do not have associated Incremental or Differential Backups. If the Migrate option is selected for a File System Full Backup that has an associated Incremental or Differential Backup or a File System Incremental or Differential Backup, the secondary copy will be created successfully; however, the index for the primary or original backup will not be deleted. An alternative would be to create the secondary copy with the Duplicate or Data Copy option and manually retire the primary or original backup in the Media Management window. 9. Select the Allow Streams to Share Media checkbox to convert multiple data streams into a sequential data stream and write it to the same media. This reduces the number of media items required for the copy. 10.Configure the retention period for the copy as described below:
To use the original saveset’s retention period, select Use Originals Life.
To set a different retention period for the duplicate, select Discard After. In the box provided, enter the retention period in number of days, weeks or years. Select Days, Weeks or Years option next to the box. You can only set a time-based retention policy for the secondary copy.
24
Chapter 5 Backup