Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Tape library with hardware encryption

2009-02-11 09:19:28
Subject: Re: Tape library with hardware encryption
From: Sven Rudolph <Sven_Rudolph AT drewag DOT de>
To: "amanda-users AT amanda DOT org" <amanda-users AT amanda DOT org>
Date: Wed, 11 Feb 2009 14:34:50 +0100 
Nicki Messerschmidt <amanda-u AT alienn DOT net> writes:

> does anyone know a good tape library which supports hardware encryption
> under linux with amanda?

Any LTO-4 drive supports encryption, but you need special software to
control it.

An LTO FAQ (<http://www.lto-technology.com/About/faq.php>) says:

: 8: What will users have to do to utilize LTO encryption?
:
: Users will enable encryption/decryption on the encrypting Generation 4
: tape drive and provide a key.
:
: The Generation 4 specification states that LTO Generation 4 drives
: support the SCSI Security Protocol commands, which may be used to
: enable encryption, and provide a key to the drive. Some vendor
: implementations may enable encryption and provide a key through a
: proprietary channel.

Vendors seem to prefer the proprietary channel. This usually means
that a special key management system (either software or
appliance-style (software bundled with special/proprietary hardware))
talks via Ethernet/IP with the library (this kind of communication is
called out-band), and the library talks via a library-internal
connection with the tape drive.

Quantum offers a software product called Q-EKM (see
<http://www.quantum.com/Solutions/encryption/Index.aspx>, there is a
more detailled whitepaper). It is Java-based Software running on a
dedicated computer; a redundant configuration is strongly
suggested. It is licensed by the number of cartridge slots in the
libraries; AFAIR it costs something in the EUR 5000 range for 200 slots.

Hewlett-Packard offers an appliance product called Secure Key Manager
(see
<http://h18006.www1.hp.com/products/storageworks/secure_key/index.html>). A
product review on
<http://www.speicherguide.de/magazin/produkte.asp?todo=de&theID=922&mtyp=>
mentions a nearly EUR 70000 price tag.

IBM's products seem to be different (and less proprietary). An article
(<http://www.speicherguide.de/magazin/security.asp?todo=de&theID=2373&lv=700&mtyp=>)
suggests that IBM's backup software ("Tivoli") contains key management
and communicates in-band directly with the drive (via fibre channel).


IMHO only the in-band way makes sense for free software. Some
to-be-written software manages the keys and communicates via SCSI
commands (via SAS or FC connection) with the drive. It has to use a
"SCSI Security Protocol" that specifies special commands:

  - SECURITY PROTOCOL IN
  - SECURITY PROTOCOL OUT

Unfortunately I do not have access to the standards. An I have neither
enough low-level-SCSI nor encryption knowledge/experience...


Thats what I managed to learn about LTO hardware encryption...

        Sven
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 2.6.1 configure failure on Solaris 2.5, Dustin J. Mitchell
Next by Date:  Re: Beginner's questions, Jose Hales-Garcia
Previous by Thread:  Re: Tape library with hardware encryption, Joshua Baker-LePain
Next by Thread:  2.6.1 configure failure on Solaris 2.5, stan
Indexes:  [Date] [Thread] [Top] [All Lists]