Set up data encryption
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Data Protection Manager, System Center Data Protection Manager 2010, System Center 2012 R2 Data Protection Manager
One of the benefits of storing backups on tape is portability. However, if the tapes get in the wrong hands, data security could be compromised. System Center 2012 – Data Protection Manager (DPM) supports encrypting data on tape for long-term protection. To set up tape encryption you’ll need to prepare certificates.
Prepare for tape encryption
To encrypt data DPM needs a valid certificate in the DPMBackUp store of Certificates (Local Computer). System Center 2012 – Data Protection Manager (DPM) supports the use a certificate imported from a certification authority (CA) or a self-signed certificate. Note that self-signed certificates aren’t signed by a CA. They will ensure the encrypted web connection but don’t guarantee the identity of the organization that generated the certificate. Self-signed certificates are useful if the ability to encrypt data is more important than the ability to identify the issuing organization.
Create a self-signed certificate
In IIS Manager > Server Certificates > Create Self-signed Certificate.
In Specify Friendly Name, specify a name for the certificate.
When the certificate appears in the console, right-click > Export Certificate.
Export as a .pfx file to a location the DPM server. Specify a password for it.
Right-click DPMBackUp in the Certificates (Local Computer) of the Certificates store of the DPM server, and click Import.
In Browse change the extension to All Files, browse to the location on which you saved the .pfx file and select it. Type in the password and click Next. Ensure that Place all certificates in the following store is selected, and that DPMBackUp appears.
After a successful import you can click on Certificates under DPMBackUp to view the imported certificate.
Obtain a certificate from a CA
After obtaining the certificate, right-click it in the Certificates MMC and select Export Certificate.
Export as a .pfx file to a location the DPM server. Specify a password for it.
Optionally select Enable strong private key protection if available, to use strong private key protection
Optionally select Mark key as exportable if you want to back up or transport your keys at a later time.
Right-click DPMBackUp in the Certificates (Local Computer) of the Certificates store of the DPM server, and click Import.
In Browse change the extension to All Files, browse to the location on which you saved the .pfx file and select it. Type in the password and click Next. Ensure that Place all certificates in the following store is selected, and that DPMBackUp appears.
After a successful import you can click on Certificates under DPMBackUp to view the imported certificate.
Then enable encryption for a DPM protection group as described in Manage protection group settings.