Re: Tape library with hardware encryption
2009-02-11 09:19:28
Nicki Messerschmidt <amanda-u AT alienn DOT net> writes:
> does anyone know a good tape library which supports hardware encryption
> under linux with amanda?
Any LTO-4 drive supports encryption, but you need special software to
control it.
An LTO FAQ (<http://www.lto-technology.com/About/faq.php>) says:
: 8: What will users have to do to utilize LTO encryption?
:
: Users will enable encryption/decryption on the encrypting Generation 4
: tape drive and provide a key.
:
: The Generation 4 specification states that LTO Generation 4 drives
: support the SCSI Security Protocol commands, which may be used to
: enable encryption, and provide a key to the drive. Some vendor
: implementations may enable encryption and provide a key through a
: proprietary channel.
Vendors seem to prefer the proprietary channel. This usually means
that a special key management system (either software or
appliance-style (software bundled with special/proprietary hardware))
talks via Ethernet/IP with the library (this kind of communication is
called out-band), and the library talks via a library-internal
connection with the tape drive.
Quantum offers a software product called Q-EKM (see
<http://www.quantum.com/Solutions/encryption/Index.aspx>, there is a
more detailled whitepaper). It is Java-based Software running on a
dedicated computer; a redundant configuration is strongly
suggested. It is licensed by the number of cartridge slots in the
libraries; AFAIR it costs something in the EUR 5000 range for 200 slots.
Hewlett-Packard offers an appliance product called Secure Key Manager
(see
<http://h18006.www1.hp.com/products/storageworks/secure_key/index.html>). A
product review on
<http://www.speicherguide.de/magazin/produkte.asp?todo=de&theID=922&mtyp=>
mentions a nearly EUR 70000 price tag.
IBM's products seem to be different (and less proprietary). An article
(<http://www.speicherguide.de/magazin/security.asp?todo=de&theID=2373&lv=700&mtyp=>)
suggests that IBM's backup software ("Tivoli") contains key management
and communicates in-band directly with the drive (via fibre channel).
IMHO only the in-band way makes sense for free software. Some
to-be-written software manages the keys and communicates via SCSI
commands (via SAS or FC connection) with the drive. It has to use a
"SCSI Security Protocol" that specifies special commands:
- SECURITY PROTOCOL IN
- SECURITY PROTOCOL OUT
Unfortunately I do not have access to the standards. An I have neither
enough low-level-SCSI nor encryption knowledge/experience...
Thats what I managed to learn about LTO hardware encryption...
Sven
|
|
|