Unless all of your clients are really, really tiny, you’re
not going to want to look at software encryption so you really have 2 options –
Decru and Neoscale appliances.
We’ve been happy with our Decru FC520 appliances
front-ending our 8 LTO-3 drives (spread across 2 data centers). We don’t
actually get any degradation – in some cases, we’ve actually seen
performance *improvements*. A single FC520 will support 2-3 LTO-3
drives but there are larger models (the FC1020) and there are rumors of 4Gbps
faster versions coming out this year.
Since each FC520 has a single 2Gbps interface for input and
another for output, you’re limited to 200MB/sec in total
throughput. Depending on how fast you drive your tape drives now will
help you determine how many appliances you would need. I would guess that
your 20 drives are spread over 2 fabrics and putting one FC1020 per fabric
would probably suffice since they have 5 2Gbps ports in and 5 out for 10Gbps
total throughput. These suckers encrypt and compress at wire speed.
We haven’t had any unresolvable issues with the appliances
themselves. Key management isn’t a problem at all – it’s
all handled by the appliances and can be backed up using their software. Our
3 appliances share the keys amongst themselves and also know that a single
pre-defined NetBackup pool will write unencrypted data. By default, all
of our NetBackup pools are encrypted – we have just a single clear-text
pool just in case we have to send a customer a clear-text tape (we haven’t
had to do this yet). You only really need to worry about the special
cards whenever the keys need to leave a box – either when you’re
replacing one (we haven’t had one fail yet) or if you add another box to
the cluster and want to share the keys (we did this recently). The rest
of the time the special cards sit in lockboxes and safes.
The Decru appliances do need to understand NetBackup but so long
as the tape headers don’t change, you won’t have any issues.
Just don’t expect to use any old off-the-shelf software product some day
and expect it to work out of the box without talking to Decru first.
Once you see these suckers, you’ll be impressed. You
can even get them with a big red button on the front that automatically flushes
the keys when pressed (for use in military environments when the bad guys are
breaking down your door).
From NetBackup’s point of view, you don’t need to do
anything special at all. You unpresent all of your existing drives,
present them to the encryption appliances, it presents new WWNs for the
encrypted drives (they appear on the fabric as loop devices), and you tell
NetBackup to use those. That’s it. You don’t need to
worry about which tapes are encrypted and which aren’t – the appliances
handle all of that automatically and will read clear-text tapes transparently
and when they’re rewritten, will automatically encrypt the data. It
just doesn’t get any easier.
…/Ed
--
Ed Wilts, RHCE, BCFP, BCSD
Mounds View, MN, USA
mailto:ewilts AT ewilts DOT orrg
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Cruice,
Daniel (US - Glen Mills)
Sent: Wednesday, September 05, 2007 3:33 PM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: [Veritas-bu] Tape encryption
Looking
for some information regarding tape encryption, anyone out there using
it? And if so what kind of tape degradation did you experience. We
are being asked to implement it and we are just trying to figure out what we
are going to need. Our environment is mixed with Windows and UNIX, all of
our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library,
over 900 clients. About 90% of our environment is running 6.0 MP4 and
soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of.
Thanks
Dan