Veritas-bu

Re: [Veritas-bu] Encrypting offsite tapes

2008-11-11 13:41:16
Subject: Re: [Veritas-bu] Encrypting offsite tapes
From: <judy_hinchcliffe AT administaff DOT com>
To: <unixlifebox AT gmail DOT com>, <travis.kelley AT etrade DOT com>
Date: Tue, 11 Nov 2008 12:31:10 -0600
My understanding is all backups to that tape drive would be encrypted.

But you can set up a storage unit that has "that" tape drive in it.

Then setup your policies to use that storage unit that would go to
"that" tape drive.

To keep your tapes straight you should also set up a volume pool where
your encrypted tapes are where the normal tapes are.  As you do not want
to send a tape to the encrypted drive then turn around and send the tape
to a normal tape drive.

So you now have a policy that uses a storage unit that has an encrypted
drive and a volume pool to get those tapes from.

You would have other policies that use normal tape drives and get their
tapes from a normal volume pool.

So if you are going to have a mix, you want to make sure you keep the
tapes "separate" so you can keep track of them.

-----Original Message-----
From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of
Rongsheng Fang
Sent: Tuesday, November 11, 2008 12:25 PM
To: Travis Kelley
Cc: Ed Wilts; VERITAS-BU AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Encrypting offsite tapes

Thank you all for your replies!

We do have HP LTO4 tape drives in a StorageTek SL500 and was told by  
Sun that the encryption could be turned on with a license fee. My  
next question is: once the encryption feature for a LTO4 tape drive  
is turned on, will all backups written to the tape by this drive be  
encrypted automatically? Or NetBackup can be configured to  
selectively encrypt backups based on the volume pools as Travis  
described?

Thanks,

Rongsheng


On Nov 11, 2008, at 1:04 PM, Travis Kelley wrote:

> Don't forget hardware based encryption using LTO-4 tape drives.
> Netbackup 6.5.2 has key management functionality built in.  To  
> activate
> the hardware encryption on LTO4 using NB6.5.2 after you have created
> keys you just write backups to a pool prefixed with ENCR_* for  
> instance
> ENCR_Offsite.  Using this you could decide based on which volume pool
> data was written whether or not it would be encrypted.  Your normal
> backups could be written to a normal pool and then when vault did the
> duplication those images could be written to a hardware encrypted  
> pool.
>
> The same cost caveat applies here if you don't already have LTO4 as in
> Ed's #3:)
>
> Ed Wilts wrote:
>> You have 3 separate options:
>>
>> 1.  Client-based encryption.  Free with 6.5 (and you may be able  
>> to get
>> free licenses for 6.0 if you're under maintenance).  Adds a load  
>> to each
>> and every client.  From what I've heard, it's not pretty.
>>
>> 2.  Media-server based encryption.  Puts the load on the media  
>> servers
>> instead.
>>
>> 3.  Encryption appliance.  Not cheap, but they encrypt at wire speed
>> while writing to the tape drives.   Decru, now owned by NetApp, is  
>> the
>> current market leader.  Brocade is also now partnering with NetApp to
>> build the next generation - basically a Decru encryption appliance  
>> built
>> into a 32-port Brocade switch.  Not even close to cheap :-)
>>
>> We chose option 3 and have Decru appliances in front of all our tape
>> drives.  Everything that's written to tape is automatically  
>> encrypted -
>> we don't need to think about it.  NetBackup doesn't even know the  
>> data
>> is encrypted and doesn't care.
>>
>> http://www.netapp.com/us/products/storage-security-systems/
>>
>> On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang  
>> <unixlifebox AT gmail DOT com
>> <mailto:unixlifebox AT gmail DOT com>> wrote:
>>
>>     We duplicate backup images from disks/tapes to tapes weekly using
>>     NetBackup vault and send the tapes offsite. We have a new  
>> requirement
>>     for encrypting all the tapes going offsite. I understand that
>>     NetBackup can do the encryption while the backup is being  
>> done. My
>>     question is: is it possible to encrypt the images during the  
>> vault
>>     process (or the duplication process of the vault)? How do you
>>     implement the encryption in your backup environments?
>>
>>     Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10
>>
>>     Thanks,
>>
>>     Rongsheng
>>
>>
>>         .../Ed
>>
>>     Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE
>>     ewilts AT ewilts DOT org <mailto:ewilts AT ewilts DOT org>
>>
>>
>> ---------------------------------------------------------------------

>> ---
>>
>> _______________________________________________
>> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
>> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu