Hi,



See below for replies.



-Dave


From:

To:
<mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU>NETWORKER AT LISTSERV.TEMPLE DOT 
EDU
Date:
31.07.2008 02:05
Subject:
[Networker] lto4 and encryption



> The package is called EKM, search on IBM's web site for it.
> (Encryption Key Management).
>=20
> You'll need IBM Java, which is free for Linux, AIX and (I believe)
> Windows, but you have to buy it for Solaris.
>=20
> Dave=20


Thanks Dave!

downloaded the EKM Introduction, Planning, and User's Guide.

Questions:

I have a Solaris-based Networker V7.4.2 with a Sun/Storagetek SL500 tape=20
library, currently running 3 LTO3 drives, with room for 3 more LTO drives.

Sun sells IBM and HP LTO4 drives for the SL500.

--DG: EKM is for IBM LTO-4 drives only.

Is there any possible configuration of using IBM EKM for key management if =

I add IBM LTO4 drives to my current configuration? I.e., can I do=20
encryption (with a separate key per tape volume) without the explicit=20
support for the key management within Networker? It sounds like it might=20
work but I'm unwilling to buy LTO4 drives unless I have a clear path to=20
success.

If I go the all-Sun path for key management, I'll need to buy 3 key=20
management appliances (KMS); a primary and a backup for the data center=20
and one for the remote recovery site. Their KMS appliance works with the=20
HP LTO4 drives which (I believe) have a separate connection (Ethernet?)=20
for out-of-band key management. In comparison, the IBM LTO4 drives appear=20
to do key management only via the data interface.

The Sun appliance-based approached is a helluva lot of overkill for my=20
configuration, when it appears that with the IBM EKM I can run it on the=20
Solaris system itself, or on any handy Linux server (read: a laptop in a=20
pinch). I hate the thought of buying 3 Sun KMS appliances ($28.5K list=20
each) that will be used to grab keys to write (on average) 3 tapes a day.=20
I don't need to manage keys for an enterprise, just for a few tape drives=20
and about 60-80 tape volumes.

In fact, a software-based approach (IBM EKM) is more appealing to me since =

as long as I have a save copy of my keys, I have a wider range of platform =

choices in which to create a key server in an emergency situation (as I=20
said before, the Solaris Networker server itself, or a Linux laptop)... if =

the "Sun KMS appliance" breaks or goes missing, then it may be a l-o-n-g=20
time before I can get another one.

Any thoughts or suggestions?

Thanks!

Goony


===================================
David Gold
Sr. Technical Consultant
Cambridge Computer Services, Inc.
Artists in Data Storage
Tel: 781-250-3000
Tel (Direct): 781-250-3260
Fax: 781-250-3360
dave AT cambridgecomputer DOT com
www.cambridgecomputer.com

===================================
 ----------------------------------------------------------------------------

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER