ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] AW: [ADSM-L] 3592 Drive Encryption

2008-01-09 11:47:32
Subject: Re: [ADSM-L] AW: [ADSM-L] 3592 Drive Encryption
From: Wanda Prather <wprather AT JASI DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Wed, 9 Jan 2008 11:46:46 -0500 
I'm confused.

The 3592-J1A drives (the original 3592s) require an upgrade to support
encryption.
The 3592-E05 drives are now called TS1120 drives; I thought ALL those drives
shipped with encryption.
The question may be what type of library you have, and whether the library
requires a firmware upgrade for encryption support.

If you are going to run TSM-based encryption, I strongly recommend upgrading
to 5.5 first.  In 5.3/5.4, the TDP clients support "transparent" encryption;
you don't have to worry about key management, TSM generates random keys and
manages them for you.  Starting in 5.5, the basic clients work the same way,
with "Transparent" encryption using randomly generated keys stored in the
TSM DB.

IF you turn on client encryption, be sure to turn on client compression as
well.  Once the data is encrypted, the tape drives can't compress it
outboard.  The clients are smart enough to do compression before encryption,
if both are enabled.  (This will slow down your backups, and especially slow
down restores because of the cycles needed to decompress and decrypt.)

But I agree with Neil;  hardware encryption is faster and cleaner.  I would
double check on your drive support....


On 1/9/08, Herrmann, Boris <Boris.Herrmann AT arag DOT de> wrote:
>
> Neil,
>
> thanks for your detailed information. I've checked with IBM support.
> Unfortunately our 3592-E05 Drives are not encryption capable. IBM support
> told me that we can purchase a feature code (with the result, that all our
> drives would be replaced with new one), but our management didn't want pay
> anything.
>
> They asked me, if there would be any other way to encrypt the data without
> any cost. I don't know any way except the TSM client encryption (but I think
> it's not pratically to encrypt every data on the client systems, or is it?).
> We make normal backups and archives, a lot of db2 api backups, TDP
> (Exchange, Domino, MSSQL) and Oracle RMAN backups. Every day we backup up
> about 3-5 TB.
>
> Does anyone have any other practical implementation of encrypting Volumes
> without hardware drive encryption?
>
> With kind regards,
> ______________________________________
>
> Boris Herrmann
> Produktion / Heterogene Systeme
>
> ARAG IT GmbH
> ARAG Platz 1, 40472 Düsseldorf
>
> Tel:  +49 (0)211 964-1137
> Fax: +49 (0)211 964-1155
> Boris.Herrmann AT ARAG DOT de
> www.ARAG.de
>
>
> Geschäftsführer:  Ottmar Liebler, Hanno Petersen
> Sitz und Registergericht:  Düsseldorf,  HRB 10934
> USt-ID-Nr.:  DE 119 356 473
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] Im Auftrag 
> von
> Strand, Neil B.
> Gesendet: Montag, 7. Januar 2008 17:03
> An: ADSM-L AT VM.MARIST DOT EDU
> Betreff: Re: [ADSM-L] 3592 Drive Encryption
>
>
> Boris,
>   Verify that the library and drives are capable - may need a firmware
> upgrade or feature code - check with IBM.  You will also want to ensure you
> have the latest Atape driver installed.
>
>   A logical library is either encryption capable or not - the drives in a
> logical library cannot be mixed.  If you implement library managed
> encryption, you have a great deal of flexibility over which volumes get
> encrypted and with which encryption keys they are encrypted with.
>
>   I strongly encourage you to set up at least two, redundant Encryption
> Key Managers (EKM) because if a drive is unable to get a key, you get no
> volume to read from or write to and things can grind to a halt quickly.
>   There are several IBM references including a Redbook on setting up the
> EKM.
>
>   You may consider first creating a logical library with one or two drives
> and then testing various configurations with a small number of volumes and
> data that can be lost if you mess up.  If you lose the encryption key, you
> lose the data that was saved with it - you have been warned, no key, no
> data.
>
>   I encrypt everyting that goes on tape (primary and copy pools) on the
> assumption that tape is easily transportable.  If a tape is ejected from the
> library (for any reason), all of the data is still protected by
> encryption.  There is negligible performance impact with encryption on these
> drives.
>
>   Plan on at least a 4 -6 week implementation and make sure you test and
> document your key and data recovery procedures and key changing procedures.
>
>   I choose to implement library managed rather than application managed
> because it offered flexibility to have the encryption component managed by
> our security team without having them learn TSM.  It also allows encryption
> of media outside of TSM so if we need to ship a tarfile on tape, it can be
> done securely with a minimum of fuss.  Library managed also allows you to
> specify which tapes get encrypted - a volser range or a single tape to be
> encrypted with a specific encryption key (that key could be shared with a
> business partner).
>
>
> Cheers,
> Neil Strand
> Storage Engineer - Legg Mason
> Baltimore, MD.
> (410) 580-7491
> Whatever you can do or believe you can, begin it.
> Boldness has genius, power and magic.
>
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf 
> Of
> Herrmann, Boris
> Sent: Monday, January 07, 2008 10:10 AM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: [ADSM-L] 3592 Drive Encryption
>
> Hello TSM'ers,
>
> I've a question regarding Drive Encryption. We have a TSM Server v5.4.1.2(on 
> AIX
> 5.3.0.0) with a 3584 Tape Library and 3592-E05 Drives. We share this
> Library with our mainframe colleagues (one logical Library for mainframe and
> one logical Library for our TSM environment). Now our management wishes to
> encrypt our COPYSTORAGE-Pool volumes.
>
> My questions:
> Have anyone any experience with that issue and can give us some hints and
> tips how to implement the Drive Encryption. Need we additional Feature Codes
> for the Drives? Can we enable Drive Encryption only for our Logical Library
> without interfere our mainframe colleagues?
>
>
> With kind regards,
>
> Boris Herrmann
>
> Produktion / Heterogene Systeme
>
>
>
> ARAG IT GmbH
>
> ARAG Platz 1, 40472 Düsseldorf
>
>
>
> Tel:  +49 (0)211 964-1137
>
> Fax: +49 (0)211 964-1155
>
> Boris.Herrmann AT ARAG DOT de
>
> www.ARAG.de <http://www.arag.de/>
>
>
>
>
>
> Geschäftsführer:  Ottmar Liebler, Hanno Petersen
>
> Sitz und Registergericht:  Düsseldorf,  HRB 10934
>
> USt-ID-Nr.:  DE 119 356 473
>
>
>
>
>
> IMPORTANT:  E-mail sent through the Internet is not secure. Legg Mason
> therefore recommends that you do not send any confidential or sensitive
> information to us via electronic mail, including social security numbers,
> account numbers, or personal identification numbers. Delivery, and or timely
> delivery of Internet mail is not guaranteed. Legg Mason therefore recommends
> that you do not send time sensitive
> or action-oriented messages to us via electronic mail.
>
> This message is intended for the addressee only and may contain privileged
> or confidential information. Unless you are the intended recipient, you may
> not use, copy or disclose to anyone any information contained in this
> message. If you have received this message in error, please notify the
> author by replying to this message and then kindly delete the message. Thank
> you.
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] LTO1/LTO2 to LTO4 migration?, Bell, Charles (Chip)
Next by Date:  Re: [ADSM-L] AW: [ADSM-L] 3592 Drive Encryption, David E Ehresman
Previous by Thread:  [ADSM-L] AW: [ADSM-L] AW: [ADSM-L] 3592 Drive Encryption, Herrmann, Boris
Next by Thread:  Re: [ADSM-L] AW: [ADSM-L] 3592 Drive Encryption, David E Ehresman
Indexes:  [Date] [Thread] [Top] [All Lists]