Re: [Networker] Encrpyption
2008-01-10 22:16:14
On Jan 10, 2008, at 9:38 PM, David Magda wrote:
On Jan 10, 2008, at 16:35, lemons_terry AT emc DOT com wrote:
All of these require a supporting environment to provide key
management, drive configuration, etc. For the TS1120 and T10000A
at least, this adds tens of thousands of dollars to the cost of the
drive itself, in my experience.
I'm probably missing something, but why can't Networker do the key
management?
I would think that the logical way to implement encryption for these
tape drives to have a SCSI command where you send a key and say
"enable encryption". The back up software would then keep the key in
its database and tie it to the back up session.
Do you propose that some Joe NetWorker administrator have access to
his or her organization's security keys? I for one would not want to
have that level of responsibility. The person who holds the keys
should be in the data security group, not the backup group. I have
experimented with NetWorker 7.4's encryption feature last summer. As
soon as I got it working, my boss asked me never to use it again,
which is what I was hoping would happen. What would happen if the only
person who knows what the encryption key is gets struck by lightning
after having just changed the key in NetWorker? Without the key that
was used when an encrypted backup is done, recovering that data would
be impossible.
Then, when you want to restore or clone, Networker (or whatever)
would look up the file's save set, get the key, send it to the
drive, and tell it to decrypt the data as it comes off the media.
Does anyone know of any documents or white papers that describes the
architecture of this?
Google is your friend. My favorite way to do encryption is http://www.ingrian.com
but there are also other options.
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|