Due to the number of searches I’ve been getting for this I will tell how I did Symantec Backup Exec Exchange GRT backups to disk. If you’ve not read my reasons for not using GRT to backup Exchange, you should probably do so. If you still insist on using it, keep reading.

First off, an Exchange GRT backup cannot be encrypted by Backup Exec when a backup-to-disk device is used. In order to encrypt the backup, I’ve instead chosen to use EFS. When Backup Exec does a GRT backup, it doesn’t store these backups in the “Veritas” Folder (At least in 11D and 12 it doesn’t) like it does with the other backups. Instead it creates a folder for each storage group that begins with IMG followed by a sequence of numbers. Anytime a GRT backup is started, a new set of folders are created. Removeable backup-to-disk devices are specified with a drive letter, so these IMG folders are created under the root folder (Making it much more difficult to use EFS, because we cannot tell EFS to automatically encrypt all folders under the root folder).

So I was wanting to use a removable backup-to-disk device and encrypt our Exchange backups. After watching the IMG folders, I realized that the numbers weren’t random. I believe Backup Exec begins at 000001 and begins counting up. If your Exchange GRT backup, backs up 2 storage groups, this number will increment twice with every backup (Backup Exec puts the storage groups in separate folders). If I chose to encrypt the backup after it is complete, it takes FAR too long on a USB disk, so I created a script that will create the necessary folders before the Exchange GRT backup begins.

I’ve included the source code to this script. You’ll need to install ActivePerl before it will work (Google it). Rename the script to end with the extension “.pl”. I swap my backup disks on Friday. On Friday this script will delete the IMG files off of the backup disk (Because Backup Exec doesn’t seem to delete the IMG folders on its own). The script then opens a file in the backup exec folder to read the last number used for an IMG number. It then creates 1 IMG folder (Uncomment the appropriate sections to have it create multiple IMG folders for a backup), then tells the system to encrypt that folder. Any files added to this folder after we encrypt it are automatically encrypted.

Create the file “C:\Program Files\Symantec\Backup Exec\scripts\enc_fold_num.txt”. Look at your last backup and find the IMG folder with the highest number. Enter this number without leading 0′s into this file. Edit the script and make sure it is creating the folders on the right drive letter. Next you’ll need to edit your Exchange backup job. Under the Pre/Post Job section, you’ll need to add the path for this perl script (You may need to specify the perl executable and feed it this perl script so that it actually runs).

This last step is the most important by far. You NEED to backup your EFS certificate. If you don’t, and something happens to this server, you will not be able to access the data on your backup drives. You’ll need to encrypt something in order to get an EFS certificate. You might go ahead and tell it to encrypt a file (Right click on it and click Properties, then click the check for encrypt). To backup your EFS certificate, open up Internet Explorer. Click Tools->Internet Options. Click the “Content” tab. Then click the “Certificates” button. Under the “Personal” tab, there should be a certificate that says it is intended for “Encrypting File System”. Click the “Export’ button on this certificate. Click Next. Tell it to export the private key. Click Next. Enter a password (Don’t lose this password). Enter a file name, click next. Then click Finish.

Copy this EFS certificate to a safe place. It is probably a good idea to test and make sure that you can import the certificate elsewhere and read the encrypted data (If you can’t read it, you’ll get an “access is denied” error when you try to access it). Also take note of the expiration date listed in the box. Calendar this date (If it is in the next 10 years) —– When it comes your system will create a new EFS key automatically and you won’t be able to read your backups unless you export the new key.