Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Ciphers used in NetBackup for secure communication
  4. Ciphers used in NetBackup
NetBackup™ Security and Encryption Guide

Ciphers used in NetBackup

This section lists the ciphers that are used in NetBackup.

Ciphers used for local account password encryption

NetBackup typically does not use local accounts. Instead, accounts that are defined on the local OS or an external identity provider (SAML, AD, or LDAP) are used.

Ciphers used in NetBackup for web API and web UI access (port 443 and 1556)

Table: Ciphers used in NetBackup for web API and web UI access (port 443 and 1556)

Product version

TLS version

Enabled ciphers

NetBackup 10.0 to 10.3

TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

NetBackup 10.4 and later

TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

TLSv1.3

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

Ciphers used in NetBackup for MQbroker (port 13781)

Table: Ciphers used in NetBackup for MQbroker (port 13781)

Product version

TLS version

Enabled ciphers

NetBackup 10.0 to 10.5

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

NetBackup 10.5.0.1 and 11.0 (when FIPS mode is disabled)

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

TLSv1.3

TLS_AES_256_GCM_SHA384

TLS_AES_128_GCM_SHA256

TLS_CHACHA20_POLY1305_SHA256

NetBackup 10.5.0.1 and 11.0 (when FIPS mode is enabled)

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

TLSv1.3

TLS_AES_256_GCM_SHA384

TLS_AES_128_GCM_SHA256

Ciphers used for communication between NetBackup hosts

Table: Ciphers used for communication between NetBackup hosts

Product version

TLS version

Enabled ciphers

NetBackup 10.0 to 10.4

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

NetBackup 10.5 and 11.0 (when FIPS mode is disabled)

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

TLSv1.3

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

NetBackup 10.5 and 11.0 (when FIPS mode is enabled)

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

TLSv1.3

TLS_AES_256_GCM_SHA384

TLS_AES_128_GCM_SHA256

Ciphers used in NetBackup for communication with AD/LDAP servers

If configured, NetBackup uses Openldap to connect directly to LDAP or AD servers. Both LDAP and LDAPS (LDAP over TLS) are supported. The ciphers supported are listed in the following table. The actual cipher chosen for the connection is determined by the configuration of the AD/LDAP server.

Table: Ciphers used in NetBackup for communication with AD/LDAP servers

Product version

TLS version

Enabled ciphers

NetBackup 10.4

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA

NetBackup 10.5 and later (when FIPS mode is disabled)

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA

TLSv1.3

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

NetBackup 10.5 and later (when FIPS mode is enabled)

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA

TLSv1.3

TLS_AES_256_GCM_SHA384

TLS_AES_128_GCM_SHA256

Ciphers used in NetBackup for data at rest encryption

Table: Ciphers used in NetBackup for data at rest encryption

Product version

Hardware or software-based encryption

Ciphers

NetBackup 10.x and 11.0

Software based except for tape drive encryption

MSDP:

AES-256-CTR

Legacy cloud connector and Advanced Disk Crypt:

AES-256-CFB

Client encryption (selected by customer):

AES-128-CFB (default)

AES-256-CFB

Tape drive encryption (hardware-based):

AES-256

Feedback

Was this page helpful?
Previous

Ciphers used in NetBackup for secure communication

Next

FIPS compliance in NetBackup

Feedback

Was this page helpful?