ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] LTO4 and encryption questions

2007-09-14 10:46:25
Subject: Re: [ADSM-L] LTO4 and encryption questions
From: "Strand, Neil B." <NBStrand AT LMUS.LEGGMASON DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 14 Sep 2007 10:44:17 -0400 
David,
    There are 3 types of encryption methods - Application managed (where
TSM manages encryption), System managed  Library managed.

   I am using a TS3500 with TS1120 drives and chose library managed for
it's flexibility and granularity.  TSM (or any application) is oblivious
to the encryption process.  The keys are managed by the EKM application
that is installed on one or more servers.  On the library, tapes to be
encrypted and grouped together and drives to perform encryption are
grouped together as a logical library.

   Having encryption keys managed outside of TSM simplifies allowing
another group to manage the encryption for any compliance requirements.
You can configure the library to only encrypt a subset of tapes based on
their volser.  You can logically divide your library to several
libraries, where where the drives in each virtual library either encrypt
or do not (all drives in a virtual library must have identical
encryption configuration)

   There is documentation on setting up the EKM and, if you are
thorough, it is not too difficult on AIX systems.  Just make sure that
you are in a non-production environment and have some time to test and
reconfigure to get it correct.

   Two big issues - (1) DO NOT loose the encryption key(s) (make a copy
on DVD and put the DVD in a lock box).  Lost encryption keys will mean
lost data.  (2) Set up at least two EKM servers on different physical
servers.  If one EKM server becomes unavailable, all tape operations
will stop unless another EKM server can be communicated with.

If your 3584 is an older model, you will probably need to upgrade it's
firmware.

I have observed almost no performance degradition using encryption.

Ref: IBM Encryption Key Manager - Introduction and Planning Guide -
GA76-0418-01
Ref: http://www.redbooks.ibm.com/abstracts/sg247320.html?Open
Ref: http://www.redbooks.ibm.com/abstracts/sg247505.html?Open
Ref: ftp://service.software.ibm.com/storage/Encryption/

Cheers,
Neil Strand
Storage Engineer, Legg Mason


-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Oscar Kolsteren
Sent: Friday, September 14, 2007 3:17 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] LTO4 and encryption questions

Hi David,

If you plan to buy LTO4 drives, don't forget to mention to your supplier
you want to use encryption. You have to buy a separate feature for it,
feature is called 1604 - Transparent LTO Encryption.

We weren't made aware of this by IBM and it took a while before we
figured out we couldn't get encryption to work because of this.

Configuring this feature must be done by IBM, so that's where we waiting
for at this moment.

Good luck....

Oscar Kolsteren


UNIX / TSM Administrator | ING Direct
410 Thames Valley Park Drive, Reading, Berkshire, RG6 1RH
Tel: 0118 938 1990 l Email: Oscar.kolsteren AT ingdirect.co DOT uk

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
David Longo
Sent: 13 September 2007 21:24
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] LTO4 and encryption questions

I have a 3584 library and planning on ading LTO4.  I know LTO4 drives
support encryption by the drive.

1.  As LTO4 drives can read and write LTO3 tapes also, can it do
encryption on LTO3 tapes?

2.  With encryption on LTO tapes.  When an encrypted tape is "reclaimed"
by TSM, is it just another scratch tape?  I mean can it then be written
as encrypted or unencrypted, or is there some extra step to use a
scratch tape that was encrypted as unencrypted?  (Perhaps a silly
question, but maybe not.)

Thanks,
David Longo


#####################################
This message is for the named person's use only.  It may contain
confidential, proprietary, or legally privileged information.  No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it, and
notify the sender.  You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient.  Health First reserves the right to monitor all
e-mail communications through its networks.  Any views or opinions
expressed in this message are solely those of the individual sender,
except (1) where the message states such views or opinions are on behalf
of a particular entity;  and (2) the sender is authorized by the entity
to give such views or opinions.
#####################################
************************************************************************
********************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager.

This footnote also confirms that this email message has been swept by an
antivirus scanner for the presence of computer viruses.

ING Direct NV is a limited liability company incorporated in The
Netherlands. Registered in England & Wales, Branch Ref BR7357, 410
Thames Valley Park Drive, Reading, Berkshire, RG6 1RH.
************************************************************************
********************************************
------------------------------------------------------------------------
---------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you receive
this message by mistake, you are hereby notified that any disclosure,
reproduction, distribution or use of this message is strictly
prohibited. Please inform the sender by reply transmission and delete
the message without copying or opening it.

Messages and attachments are scanned for all viruses known. If this
message contains password-protected or encrypted attachments, the files
have NOT been scanned for viruses by the ING mail domain. Always scan
attachments before opening them.

ING Direct NV is limited liability company incorporated in The
Netherlands. Registered in England & Wales, Branch Ref BR7357, 410
Thames Valley Park Drive, Reading, Berkshire, RG6 1RH.
------------------------------------------------------------------------
---------------------------------------

IMPORTANT:  E-mail sent through the Internet is not secure. Legg Mason 
therefore recommends that you do not send any confidential or sensitive 
information to us via electronic mail, including social security numbers, 
account numbers, or personal identification numbers. Delivery, and or timely 
delivery of Internet mail is not guaranteed. Legg Mason therefore recommends 
that you do not send time sensitive 
or action-oriented messages to us via electronic mail.

This message is intended for the addressee only and may contain privileged or 
confidential information. Unless you are the intended recipient, you may not 
use, copy or disclose to anyone any information contained in this message. If 
you have received this message in error, please notify the author by replying 
to this message and then kindly delete the message. Thank you.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Client connection makes TSM server neurotically talk to itself., Richard Sims
Next by Date:  Re: [ADSM-L] LTO4 and encryption questions, Richard Sims
Previous by Thread:  Re: [ADSM-L] LTO4 and encryption questions, Oscar Kolsteren
Next by Thread:  Re: [ADSM-L] LTO4 and encryption questions, Richard Sims
Indexes:  [Date] [Thread] [Top] [All Lists]