Very good questions. I too would like to see good answers from people who know more about this than I do. :-)
3 If the key is lost, we've effectively lost all of our backups
Precisely, which is why many or most people don't use encrypted backups.
One possible way to go is to build a couple of "lifeboats", i.e. packages with install media, usernames and passwords for essential systems like backups, Active Directory and others (i.e. the stuff you need to load a backup if the main site has been completely destroyed in a fire, but not the backup data itself). You should store these lifeboats securely off site, for example in a bank vault, or in a high-security safe in a remote office with an alarm system. And lastly document this, so that others can figure out how to use the lifeboats after you've left the company, if needed.
4 Should the key change regularly? Once per year? What is the best practice?
From a practical point of view, I would say to not change the keys, since it quickly becomes unmanageable if you do. If you're worried about backup security not being good enough, then beef up physical security around your tapes, by using a service such as Iron Mountain, or by building a storage system with good physical security yourself.
Lastly: I would prefer to have all encryption & backup handling in one system, so there is less risk of recovery not working. By this I mean to use the built-in encryption in software like Retrospect or Backup Exec, rather than drive-level encryption.
Several people have moved off BE to Bacula, some for the reasons you cite, Dave. Many Bacula users using Overland libraries. I'll check on the specific model you are looking at.
Users have also successfully converted tapes from other systems. Easiest way is to restore the tape with BE then back it up with Bacula, using some tricks we know that allow you to make the Bacula tape have the same date/time stamp as the original backup. Our CTO is Kern Sibbald, author of Bacula and project manager.
Unlike Amanda, even our Enterprise Edition is GPL so you can use it for free. Amanda Enterprise requires payment and a proporietary EULA.
Who is the cluster vendor who recommended Bacula? I would like to write to him to thank him and also to congratulate him on his wise advice :-)
Feel free to contact me: jack.griffin@baculasystems.com
Best Answer
Bacula supports a Migration job type that should do what you need. See here.