Veritas-bu

Re: [Veritas-bu] Encrypting offsite tapes

2008-11-11 13:33:47
Subject: Re: [Veritas-bu] Encrypting offsite tapes
From: "Taylor, David (MARSYS)" <david.k.taylor AT ngc DOT com>
To: <VERITAS-BU AT mailman.eng.auburn DOT edu>
Date: Tue, 11 Nov 2008 13:21:47 -0500

my understanding of using your tape drives to perform the encryption, you must use the same type of drive to perform the decryption. 

i’m looking at crossroads as a encryption appliance, similar to decru.

 

dave..

 

 


From: veritas-bu-bounces AT mailman.eng.auburn DOT edu [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of judy_hinchcliffe AT administaff DOT com
Sent: Tuesday, November 11, 2008 10:08 AM
To: ewilts AT ewilts DOT org; unixlifebox AT gmail DOT com
Cc: VERITAS-BU AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Encrypting offsite tapes

 

If you have a library you may be able to do tape drive encryption with what you have.

 

You just need to get it turned on (which most likely will take a license from your library manufacture – which means money- but no new equipment)

 

Just remember that if you do this you must put HIGH priority on keeping track of you keys – so you can decrypt… you should use the same keys as your DR site so it can decrypt  as well.

 


From: veritas-bu-bounces AT mailman.eng.auburn DOT edu [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Ed Wilts
Sent: Tuesday, November 11, 2008 11:52 AM
To: Rongsheng Fang
Cc: VERITAS-BU AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Encrypting offsite tapes

 

You have 3 separate options:

1.  Client-based encryption.  Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance).  Adds a load to each and every client.  From what I've heard, it's not pretty.

2.  Media-server based encryption.  Puts the load on the media servers instead.

3.  Encryption appliance.  Not cheap, but they encrypt at wire speed while writing to the tape drives.   Decru, now owned by NetApp, is the current market leader.  Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch.  Not even close to cheap :-)

We chose option 3 and have Decru appliances in front of all our tape drives.  Everything that's written to tape is automatically encrypted - we don't need to think about it.  NetBackup doesn't even know the data is encrypted and doesn't care.

http://www.netapp.com/us/products/storage-security-systems/

On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang <unixlifebox AT gmail DOT com> wrote:

We duplicate backup images from disks/tapes to tapes weekly using
NetBackup vault and send the tapes offsite. We have a new requirement
for encrypting all the tapes going offsite. I understand that
NetBackup can do the encryption while the backup is being done. My
question is: is it possible to encrypt the images during the vault
process (or the duplication process of the vault)? How do you
implement the encryption in your backup environments?

Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10

Thanks,

Rongsheng

 

    .../Ed

Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE
ewilts AT ewilts DOT org

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu