Re: [Networker] LTO4 Hardware Encryption -- proposal
2010-02-04 09:01:49
Hey everyone...
Back in November, I posted the message below. To this moment, I haven't
heard anything from anyone.... I guess I need to take from that silence
one of three truths:
1) No one is interested in NetWorker handling the management of keys
to encrypt LTO4 media.
2) I'm the only person on the list that is using LTO4 media and trying
to figure out how to handle encryption.
3) It was too close to Christmas and no one took the time to read my
message.
Please enlighten me as to which of those is the truth.
Thanks,
Frank
On 11/24/09 11:35 AM, Francis Swasey wrote:
I recently laid out for EMC what I would like to see NetWorker provide
for LTO4 Hardware Encryption and Key Management.
I am interested if what I have told EMC is what others think NetWorker
should provide or if you have other ideas about the LTO4 Hardware
Encryption. If you would rather not publicly state your agreement
/disagreement with the following -- you may respond to me privately.
Here's what I told EMC:
1) That there needs to be an option in the media pool definition to
specify that volumes in this pool must have LTO4 Encryption enabled.
Whether that is set by a check box in the media pool property panes of
NMC or is (like NetBackup does) flagged by naming the pool to begin
with "ENCR" -- I don't care.
2) That the NetWorker server needs to create a new key for a volume
every time the volume is labeled.
3) That the NetWorker server needs to keep track of which key was used
for which volume.
4) That however the NetWorker server maintains the key/volume pairing,
it has to be securely included in the bootstrap so that mmrecov can
get it back in a disaster situation. And I have to know a secret
pass-phrase that was NOT in the bootstrap to decrypt the key/volume
table and run a command to put it back into NetWorker.
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|