Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] Encrypting offsite tapes

2008-11-11 13:49:16
Subject: Re: [Veritas-bu] Encrypting offsite tapes
From: "Kelley, Travis" <travis.kelley AT etrade DOT com>
To: "Rongsheng Fang" <unixlifebox AT gmail DOT com>
Date: Tue, 11 Nov 2008 13:38:05 -0500 
I'm not aware of how the licensing works for the LTO4s in an SL500.  I'm
not sure why you'd need a license from Sun to activate this encryption
since it's a built in feature of LTO4 tape drives.  I wonder if they
were referring to licensing key management software from them?

If you use the netbackup key management, bptm sends the keys to the
drive when it requests a tape be mounted if that tape is coming from and
ENCR_* prefixed policy.  Hence a drive use encryption for one backup
(when using a tape form an ENCR_* pool) and not encrypt the next backup
(when writing to a tape from a non ENCR_* pool).  Obviously encrypted
and non-encrypted backups will not be able to be multiplexed onto the
same tape and once a tape has encyrpted data on it all further data will
be encrypted (since it would now be part of an ENCR_* prefixed pool)
until the tape expired.  The volume pool is the key to netbackups
encryption key management.  Here is a good pdf describing the
functionality:

ftp://exftpp.symantec.com/pub/support/products/NetBackup_Enterprise_Serv
er/302438.pdf

I have no idea if netbackup is going to start charging for their KMS
functionality in future releases.


-----Original Message-----
From: Rongsheng Fang [mailto:unixlifebox AT gmail DOT com] 
Sent: Tuesday, November 11, 2008 1:25 PM
To: Kelley, Travis
Cc: Ed Wilts; VERITAS-BU AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Encrypting offsite tapes

Thank you all for your replies!

We do have HP LTO4 tape drives in a StorageTek SL500 and was told by Sun
that the encryption could be turned on with a license fee. My next
question is: once the encryption feature for a LTO4 tape drive is turned
on, will all backups written to the tape by this drive be encrypted
automatically? Or NetBackup can be configured to selectively encrypt
backups based on the volume pools as Travis described?

Thanks,

Rongsheng


On Nov 11, 2008, at 1:04 PM, Travis Kelley wrote:

> Don't forget hardware based encryption using LTO-4 tape drives.
> Netbackup 6.5.2 has key management functionality built in.  To 
> activate the hardware encryption on LTO4 using NB6.5.2 after you have 
> created keys you just write backups to a pool prefixed with ENCR_* for

> instance ENCR_Offsite.  Using this you could decide based on which 
> volume pool data was written whether or not it would be encrypted.  
> Your normal backups could be written to a normal pool and then when 
> vault did the duplication those images could be written to a hardware 
> encrypted pool.
>
> The same cost caveat applies here if you don't already have LTO4 as in

> Ed's #3:)
>
> Ed Wilts wrote:
>> You have 3 separate options:
>>
>> 1.  Client-based encryption.  Free with 6.5 (and you may be able to 
>> get free licenses for 6.0 if you're under maintenance).  Adds a load 
>> to each and every client.  From what I've heard, it's not pretty.
>>
>> 2.  Media-server based encryption.  Puts the load on the media 
>> servers instead.
>>
>> 3.  Encryption appliance.  Not cheap, but they encrypt at wire speed
>> while writing to the tape drives.   Decru, now owned by NetApp, is  
>> the
>> current market leader.  Brocade is also now partnering with NetApp to

>> build the next generation - basically a Decru encryption appliance 
>> built into a 32-port Brocade switch.  Not even close to cheap :-)
>>
>> We chose option 3 and have Decru appliances in front of all our tape 
>> drives.  Everything that's written to tape is automatically encrypted

>> - we don't need to think about it.  NetBackup doesn't even know the 
>> data is encrypted and doesn't care.
>>
>> http://www.netapp.com/us/products/storage-security-systems/
>>
>> On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang 
>> <unixlifebox AT gmail DOT com <mailto:unixlifebox AT gmail DOT com>> wrote:
>>
>>     We duplicate backup images from disks/tapes to tapes weekly using
>>     NetBackup vault and send the tapes offsite. We have a new 
>> requirement
>>     for encrypting all the tapes going offsite. I understand that
>>     NetBackup can do the encryption while the backup is being done. 
>> My
>>     question is: is it possible to encrypt the images during the 
>> vault
>>     process (or the duplication process of the vault)? How do you
>>     implement the encryption in your backup environments?
>>
>>     Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10
>>
>>     Thanks,
>>
>>     Rongsheng
>>
>>
>>         .../Ed
>>
>>     Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE
>>     ewilts AT ewilts DOT org <mailto:ewilts AT ewilts DOT org>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>> _______________________________________________
>> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu 
>> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>


_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Veritas-bu] Encrypting offsite tapes, judy_hinchcliffe
Next by Date:  Re: [Veritas-bu] Veritas-bu Digest, Vol 31, Issue 24, Stafford, Geoff
Previous by Thread:  Re: [Veritas-bu] Encrypting offsite tapes, judy_hinchcliffe
Next by Thread:  Re: [Veritas-bu] Encrypting offsite tapes, Andrew Stueve
Indexes:  [Date] [Thread] [Top] [All Lists]