Networker

Re: [Networker] New libraries with LTO-4 & encryption

2008-07-26 13:46:10
Subject: Re: [Networker] New libraries with LTO-4 & encryption
From: Charles Weber <chaweber AT gmail DOT com>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Sat, 26 Jul 2008 13:25:37 -0400
HP has a USB key for small business LTO4 encryption. It only works with
some of their libraries (MSL series) but lists for ~$2500 or so. We will
end up using it, I expect. The price is right and for my situation it is
a reasonable solution. 

On Fri, 2008-07-25 at 09:14 -0400, Clark, Patti wrote:
> > -----Original Message-----
> > From: EMC NetWorker discussion 
> > [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Davina Treiber
> > Sent: Thursday, July 24, 2008 6:06 PM
> > To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> > Subject: Re: [Networker] New libraries with LTO-4 & encryption
> > 
> > ranClark, Patti wrote:
> > 
> > > Some $$ have come our way and management made the decision 
> > that we are
> > > going to LTO-4 and encryption.  That being said, we've 
> > moved forward on
> > > the research and pricing.  Before we actually place the 
> > order I want to
> > > see if anyone else has had [b]leading edge experience in 
> > this area that
> > > might provide me with questions that I haven't thought to ask or
> > > suggestions on how to handle some of the aspects that are 
> > new with the
> > > technology.  We've looked at appliances and have decided 
> > not to go that
> > > way. 
> > > 
> > > The current system is RHEL4, NWv7.3.3 (server and clients) 
> > with a mix of
> > > RHEL, Solaris, OSX, and Win clients, 
> > > 1 - SCSI attached library with 3 LTO-2 drives.
> > > 
> > > The new system will be RHEL4 or 5 (updated with new HBAs), 
> > NWv7.4.2 same
> > > client mix
> > > 1 - FC attached library (Quantum i500) with 3 LTO-4 drives 
> > (IBM) - at
> > > least 2 drives will have encryption enabled.
> > > Software to perform encryption key management
> > > 
> > > I've kept track of the HBA discussions, IBM drive info, Networker
> > > upgrade threads, and anything else related.  I expect to upgrade
> > > Networker and then the OS prior to the HW switch.  Not much has been
> > > said about encryption.  Does it work as advertised?  Is it fairly
> > > seamless?  Networker doesn't really see any difference and 
> > it's business
> > > as usual?  How about key management?  Do I believe the 
> > sales materials?
> > 
> > I've used this. When you get the key management set up and 
> > running, yes 
> > it is totally transparent to NetWorker. In theory you lose a 
> > tiny amount 
> > of throughput, but the LTO-4 drives are so fast in the first 
> > place that 
> > you are unlikely to be able to drive them fast enough to see 
> > a difference.
> > 
> > The question is, what are you going to use to manage the encryption? 
> > Some backup apps are capable of managing this, NetWorker is 
> > not one of 
> > them. TSM is, but this is probably because IBM has a vested 
> > interest in 
> > encryption since they are an LTO vendor.
> > 
> > In my case, my customer controlled the encryption from an IBM TS3500 
> > library (AKA 3584). The key management software is called EKM 
> > and runs 
> > on one or more Unix boxes (probably Windows too). It was 
> > tricky to set 
> > up, even with the help of the IBM "expert" who I don't think had done 
> > this before. The problems mainly revolved around Java 
> > versions (quelle 
> > surprise) and some inconsistencies between different versions of the 
> > software on different platforms.
> > 
> > Once it was working it worked very well. The encryption can be 
> > selectively enabled based on barcode ranges. You can have a 
> > large number 
> > of keys if you desire. If the key manager software is stopped, normal 
> > operations will continue until such time as a tape needs 
> > labelling, at 
> > which point you see perplexing (apparent) media failures. 
> > Restarting EKM 
> > fixes this.
> > 
> > IMHO this is a better option than an encryption appliance and 
> > certainly 
> > better than the limited functionality supplied by any backup software 
> > package such as NetWorker. The big drawback of NetWorker 
> > encryption of 
> > course is that you lose compression when you use it. This 
> > will impact on 
> > throughput and media usage. Apparently the IBM TS1120 drives 
> > offer even 
> > better capabilities in terms of key management than LTO-4, 
> > but at a price.
> > 
> > I predict that in a few years everyone will use drive-based hardware 
> > encryption and the other methods will die. Only low end 
> > drives will be 
> > unencrypted. I could be wrong.
> > 
> Thank you, Davina.  This info is exactly what I am looking for. Quantum
> is using IBM drives in their libraries at this time. The sales rep just
> sent me Quantum's White Paper on their key manager - they call it Q-EKM.
> It is software that they are recommending running on a separate box from
> the backup server.  Hopefully, I'll be able to wrap my mind around this
> big change and not find myself in a big trap.
> 
> To reply as to why not use an appliance?  It is more expensive of a
> solution for us.  You need an appliance for each channel connection.
> For my 3-tape drive library I'd need at least 2 appliances.  Pricing
> estimates run $20-$30K per appliance.  One additional thought, I started
> looking at this subject last fall.  Already, one of the appliance
> vendors has been acquired.  This technology is still shaking out and
> there is no telling who will remain in the game and offer support until
> the end.  IBM, HP, and Quantum will either be here or their technologies
> will be supported because of their large presence.  
> 
> One more observation for anyone looking to go LTO-4 with the idea that
> encryption will come later, there are tape drives and libraries that
> will do everything LTO-4 but NOT encryption.  Not now and not later.  I
> was looking at a different, smaller library that supports LTO-3 and
> LTO-4.  I just found out that it does not support encryption.  As Davina
> described, the library HW/SW itself is an integral part of the
> encryption management.
> 
> Patti 
>  
> 
> To sign off this list, send email to listserv AT listserv.temple DOT edu and 
> type "signoff networker" in the body of the email. Please write to 
> networker-request AT listserv.temple DOT edu if you have any problems with 
> this list. You can access the archives at 
> http://listserv.temple.edu/archives/networker.html or
> via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER