Networker

[Networker] lto4 and encryption

2008-07-31 09:44:16
Subject: [Networker] lto4 and encryption
From: David Gold-news <dave2 AT CAMBRIDGECOMPUTER DOT COM>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Thu, 31 Jul 2008 09:21:48 -0400
I've been testing this in the lab. You have three ways that the IBM LTO-4 drive can be provided an encryption key to encrypt with: 1. Application based. NetWorker doesn't do this, so this is rules out. We'll use EKM instead. 2. Library based. If your library supports generating encryption keys, or grabbing them from EKM, then it can pass the keys using the out of band (serial) connection to the tape drive. Depends on the library as to how they've implemented it, and normally you have to get the supported key manager. (I believe Davina noted that her IBM library uses EKM, but the library is doing the deliver of keys to the tape drive) 3. System based. The tape driver (IBMtape) requests the key via IP, and delivers it to the tape drive via SCSI (or FC, same thing).


I've been trying to get the driver based (System option) method to work, but don't seem to be able to get the driver to transition from Application to System mode.

Solaris 10, Leadville Qlogic drivers, FC tape. Library does not support Library based. NetWorker 7.3.3 (although I have networker turned off, and am just working with the tape drivers)

This *should* work, but I haven't gotten it to work yet. Anyone that has, please speak up. My next step is to try AIX or Linux, or Windows, to see if the issue is the Solaris driver.

The main issue--as the blog at drunkendata.com points out--is that EKM is just a key generator, but it doesn't deal with key management in terms of lifecycle. IMHO, that would best be done by the application, since retention policy for tapes is set there. But since NetWorker doesn't have any support announced (based on the lack of any info), that isn't an option.

Hope this helps, and if you want config details, let me know.

Dave


Date:    Wed, 30 Jul 2008 19:58:03 -0400
From:    goony <networker-forum AT BACKUPCENTRAL DOT COM>
Subject: lto4 and encryption

> The package is called EKM, search on IBM's web site for it.
> (Encryption Key Management).
>
> You'll need IBM Java, which is free for Linux, AIX and (I believe)
> Windows, but you have to buy it for Solaris.
>
> Dave

Thanks Dave!

I found the IBM EKM info at http://preview.tinyurl.com/2jprlz and I've downloaded the EKM Introduction, Planning, and User's Guide.

Questions:

I have a Solaris-based Networker V7.4.2 with a Sun/Storagetek SL500 tape library, currently running 3 LTO3 drives, with room for 3 more LTO drives.

Sun sells IBM and HP LTO4 drives for the SL500.

Is there any possible configuration of using IBM EKM for key management if I add IBM LTO4 drives to my current configuration? I.e., can I do encryption (with a separate key per tape volume) without the explicit support for the key management within Networker? It sounds like it might work but I'm unwilling to buy LTO4 drives unless I have a clear path to success.

If I go the all-Sun path for key management, I'll need to buy 3 key management appliances (KMS); a primary and a backup for the data center and one for the remote recovery site. Their KMS appliance works with the HP LTO4 drives which (I believe) have a separate connection (Ethernet?) for out-of-band key management. In comparison, the IBM LTO4 drives appear to do key management only via the data interface.

The Sun appliance-based approached is a helluva lot of overkill for my configuration, when it appears that with the IBM EKM I can run it on the Solaris system itself, or on any handy Linux server (read: a laptop in a pinch). I hate the thought of buying 3 Sun KMS appliances ($28.5K list each) that will be used to grab keys to write (on average) 3 tapes a day. I don't need to manage keys for an enterprise, just for a few tape drives and about 60-80 tape volumes.

In fact, a software-based approach (IBM EKM) is more appealing to me since as long as I have a save copy of my keys, I have a wider range of platform choices in which to create a key server in an emergency situation (as I said before, the Solaris Networker server itself, or a Linux laptop)... if the "Sun KMS appliance" breaks or goes missing, then it may be a l-o-n-g time before I can get another one.

Any thoughts or suggestions?

Thanks!

Goony

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

<Prev in Thread] Current Thread [Next in Thread>