http://www.symantec.com/business/support/index?page=content&id=TECH72130

Push the encryption binaries to the client using the following command on the master:

Install the license keys for encryption on the master server.

Create an encryption key file on the client by running the following command on the client (or on the master server with the -client option):

\NetBackup\bin\bpkeyutil -client

Enter new NetBackup passphrase: **********
Re-enter new NetBackup passphrase: **********

Verify the following files are on the client:
Windows:
\netbackup\share\version_crypt.txt
\Veritas\netbackup\share\ciphers.txt
\Veritas\netbackup\bin\bpkeyutil
\Veritas\netbackup\var\keyfile.dat (this file is created by the bpkeyutil command)

Unix:
/usr/openv/share/version_crypt
/usr/openv/share/ciphers.txt
/usr/openv/netbackup/bin/bpkeyutil
/usr/openv/var/keyfile.dat (this file is created by the bpkeyutil command)

On Netbackup administration console In the policy under the Attributes tab there is a selection for Encryption that determines if the backup will be encrypted. Check the check box.

In the NetBackup Administration Console, Expand NetBackup Management > Host Properties > Clients, double click to launch client properties window. Click on “Encryption” and Configure this client to be enabled for encryption.