I've been testing this in the lab. You have three ways that the IBM
LTO-4 drive can be provided an encryption key to encrypt with:
1. Application based. NetWorker doesn't do this, so this is rules
out. We'll use EKM instead.
2. Library based. If your library supports generating encryption
keys, or grabbing them from EKM, then it can pass the keys using the
out of band (serial) connection to the tape drive. Depends on the
library as to how they've implemented it, and normally you have to
get the supported key manager. (I believe Davina noted that her IBM
library uses EKM, but the library is doing the deliver of keys to the
tape drive)
3. System based. The tape driver (IBMtape) requests the key via IP,
and delivers it to the tape drive via SCSI (or FC, same thing).
I've been trying to get the driver based (System option) method to
work, but don't seem to be able to get the driver to transition from
Application to System mode.
Solaris 10, Leadville Qlogic drivers, FC tape. Library does not
support Library based. NetWorker 7.3.3 (although I have networker
turned off, and am just working with the tape drivers)
This *should* work, but I haven't gotten it to work yet. Anyone that
has, please speak up. My next step is to try AIX or Linux, or
Windows, to see if the issue is the Solaris driver.
The main issue--as the blog at drunkendata.com points out--is that
EKM is just a key generator, but it doesn't deal with key management
in terms of lifecycle. IMHO, that would best be done by the
application, since retention policy for tapes is set there. But since
NetWorker doesn't have any support announced (based on the lack of
any info), that isn't an option.
Hope this helps, and if you want config details, let me know.
Dave
Date: Wed, 30 Jul 2008 19:58:03 -0400
From: goony <networker-forum AT BACKUPCENTRAL DOT COM>
Subject: lto4 and encryption
> The package is called EKM, search on IBM's web site for it.
> (Encryption Key Management).
>
> You'll need IBM Java, which is free for Linux, AIX and (I believe)
> Windows, but you have to buy it for Solaris.
>
> Dave
Thanks Dave!
I found the IBM EKM info at http://preview.tinyurl.com/2jprlz and
I've downloaded the EKM Introduction, Planning, and User's Guide.
Questions:
I have a Solaris-based Networker V7.4.2 with a Sun/Storagetek SL500
tape library, currently running 3 LTO3 drives, with room for 3 more LTO drives.
Sun sells IBM and HP LTO4 drives for the SL500.
Is there any possible configuration of using IBM EKM for key
management if I add IBM LTO4 drives to my current configuration?
I.e., can I do encryption (with a separate key per tape volume)
without the explicit support for the key management within Networker?
It sounds like it might work but I'm unwilling to buy LTO4 drives
unless I have a clear path to success.
If I go the all-Sun path for key management, I'll need to buy 3 key
management appliances (KMS); a primary and a backup for the data
center and one for the remote recovery site. Their KMS appliance
works with the HP LTO4 drives which (I believe) have a separate
connection (Ethernet?) for out-of-band key management. In comparison,
the IBM LTO4 drives appear to do key management only via the data interface.
The Sun appliance-based approached is a helluva lot of overkill for
my configuration, when it appears that with the IBM EKM I can run it
on the Solaris system itself, or on any handy Linux server (read: a
laptop in a pinch). I hate the thought of buying 3 Sun KMS appliances
($28.5K list each) that will be used to grab keys to write (on
average) 3 tapes a day. I don't need to manage keys for an
enterprise, just for a few tape drives and about 60-80 tape volumes.
In fact, a software-based approach (IBM EKM) is more appealing to me
since as long as I have a save copy of my keys, I have a wider range
of platform choices in which to create a key server in an emergency
situation (as I said before, the Solaris Networker server itself, or
a Linux laptop)... if the "Sun KMS appliance" breaks or goes missing,
then it may be a l-o-n-g time before I can get another one.
Any thoughts or suggestions?
Thanks!
Goony
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|