Search This Blog

Tuesday, February 21, 2012

Encrypt Data to Tape in DPM 2012


Today we are going to look into how to secure the data store into tape. To encrypt the data store in tape, you need to have a valid certificate. When configure tape select “Encrypt Data”


Below screenshot is the error message when you’re trying to backup data to tape. The job will fail because it did not detect certificate under DPMBackupStore Store under Certificate snap-in.


To resolve this issue, use any computer with IIS snap-in. Create a self signed certificate.

Below is the screenshot, on how to create a self signed certificate.


Provide a certificate name. Example: DPMCert


Once the self signed certificate has created, export the certificate and transfer to DPM 2012 Server.


In the DPM 2012 Server, open mmc snap-in and add Certificate snap-in. Import the certificate to DPMBackupStore Store. DPM will use these certificates to encrypt data. You can store multiple certificates there if you want DPM to create a key by using more than one certificate.


When your certificates expire, you must move them into the DPMRestoreStore folder in the Certificate Store. This ensures that you can recover the expired certificates from an encrypted tape by using a certificate that is no longer active.

After import the certificate, you can re-run the job to tape the tape and now you will be able to encrypt data to tape.


  1. How do we ensure we can restore this data in an offsite disaster situation?

  2. Make sure the certificate is transfer as well to destination DPM server

  3. I don't want to have ISS on my DPM server. How can I use my Enterprise CA?

  4. You can issue a certificate based on the "Web Server" Template if you are using Windows CA.

  5. Still not able to find clear instructions for creating tape encryption templates and certificates in Server 2012 for DPM 2012.

    - do we need the private key exported?

    - what compatibility level do we need (2003, 2008, 2008R2 or 2012?)

    - can we use anything other that Microsoft RSA?

    - can we request the certificate directly from the backup store or do we have to request is from the Personal store and then do some fiddly import/export process?

    - should we use the new (from 2008 I think) "Tape Backup" Application Policy?

    Do we have to put the cert in both the Backup AND the Restore store to do a backup

    Note that it is quite easy by trial and error to get a cert that will work for backup and restore on a single DPM server, but much harder to get one that will work on another DPM server in another domain (offsite DR situation).

    Can anyone please help?


Note: Only a member of this blog may post a comment.