The keys in a Decru box are not usable
unless you authenticate the new system. This is done via a key quorum, where
you say that n of y security officers (identified by a secure card, username,
& password) must be present to authenticate the box that’s going to
use the keys. Therefore, you can copy/store you keys right along your backups and
not worry about that issue.
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Jeff Lightner
Sent: Thursday, September 06, 2007
6:44 AM
To: Ed Wilts; Cruice, Daniel (US -
Glen Mills)
Cc:
veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Tape
encryption
Curious – you say you backup the
keys – do you store those backups offsite and if so is that in a
different location than the regular backups? It seems it would be
important to not keep the backup of keys with the encrypted backups but that
this might cause you issues for DR.
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Ed Wilts
Sent: Wednesday, September 05,
2007 9:17 PM
To: 'Cruice, Daniel (US - Glen
Mills)'
Cc: veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Tape
encryption
Unless all of your
clients are really, really tiny, you’re not going to want to look at
software encryption so you really have 2 options – Decru and Neoscale
appliances.
We’ve been happy
with our Decru FC520 appliances front-ending our 8 LTO-3 drives (spread across
2 data centers). We don’t actually get any degradation – in
some cases, we’ve actually seen performance *improvements*. A single FC520 will support 2-3 LTO-3
drives but there are larger models (the FC1020) and there are rumors of 4Gbps
faster versions coming out this year.
Since each FC520 has
a single 2Gbps interface for input and another for output, you’re limited
to 200MB/sec in total throughput. Depending on how fast you drive your
tape drives now will help you determine how many appliances you would need.
I would guess that your 20 drives are spread over 2 fabrics and putting one
FC1020 per fabric would probably suffice since they have 5 2Gbps ports in and 5
out for 10Gbps total throughput. These suckers encrypt and compress at
wire speed.
We haven’t had
any unresolvable issues with the appliances themselves. Key management
isn’t a problem at all – it’s all handled by the appliances
and can be backed up using their software. Our 3 appliances share the
keys amongst themselves and also know that a single pre-defined NetBackup pool
will write unencrypted data. By default, all of our NetBackup pools are
encrypted – we have just a single clear-text pool just in case we have to
send a customer a clear-text tape (we haven’t had to do this yet).
You only really need to worry about the special cards whenever the keys need to
leave a box – either when you’re replacing one (we haven’t
had one fail yet) or if you add another box to the cluster and want to share
the keys (we did this recently). The rest of the time the special cards
sit in lockboxes and safes.
The Decru appliances
do need to understand NetBackup but so long as the tape headers don’t change,
you won’t have any issues. Just don’t expect to use any old
off-the-shelf software product some day and expect it to work out of the box
without talking to Decru first.
Once you see these
suckers, you’ll be impressed. You can even get them with a
big red button on the front that automatically flushes the keys when pressed
(for use in military environments when the bad guys are breaking down your
door).
From NetBackup’s
point of view, you don’t need to do anything special at all. You
unpresent all of your existing drives, present them to the encryption
appliances, it presents new WWNs for the encrypted drives (they appear on the
fabric as loop devices), and you tell NetBackup to use those. That’s
it. You don’t need to worry about which tapes are encrypted and
which aren’t – the appliances handle all of that automatically and
will read clear-text tapes transparently and when they’re rewritten, will
automatically encrypt the data. It just doesn’t get any easier.
…/Ed
--
Ed Wilts, RHCE, BCFP,
BCSD
Mounds View, MN,
USA
mailto:ewilts AT ewilts DOT orrg
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Cruice, Daniel (US - Glen Mills)
Sent: Wednesday, September 05,
2007 3:33 PM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: [Veritas-bu] Tape
encryption
Looking for some information regarding tape encryption,
anyone out there using it? And if so what kind of tape degradation did
you experience. We are being asked to implement it and we are just trying
to figure out what we are going to need. Our environment is mixed with
Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a
20 drive LTO3 Library, over 900 clients. About 90% of our environment is
running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we
need to be aware of.
Thanks
Dan