Veritas-bu

Re: [Veritas-bu] Encrypting offsite tapes

2008-11-11 17:14:01
Subject: Re: [Veritas-bu] Encrypting offsite tapes
From: "Eagle, Kent" <KEagle AT WilmingtonTrust DOT com>
To: <veritas-bu AT mailman.eng.auburn DOT edu>
Date: Tue, 11 Nov 2008 16:51:39 -0500
Hello Rongsheng,

I think there may also be a 4th option, though potentially more
expensive than an appliance solution if you don't already have the
hardware-

IF you have LTO4 at your primary site and you either have (or don't
need) LTO4 read capability at your offsite:

You could create a policy that calls on a vault profile that duplicates
the tape using hardware based encryption. The caveat here is you would
need to worry about EKM (Encryption Key Management) and the fact that
encrypted data doesn't compress quite the same as unencrypted data. This
could lead to slightly increased tape utilization.

FWIW: We are not currently using LTO4. We tested software based
encryption and found the system overhead and tape utilization
prohibitive. We wound up with an appliance based solution that is
actually quite fast, but short of getting off tape all together, I'm
looking forward to LTO4.

-Kent

------------------------------

Message: 18
Date: Tue, 11 Nov 2008 11:52:07 -0600
From: "Ed Wilts" <ewilts AT ewilts DOT org>
Subject: Re: [Veritas-bu] Encrypting offsite tapes
To: "Rongsheng Fang" <unixlifebox AT gmail DOT com>
Cc: VERITAS-BU AT mailman.eng.auburn DOT edu
Message-ID:
        <995e39b60811110952s5389fbe0j29b8b49b25013017 AT mail.gmail DOT com>
Content-Type: text/plain; charset="iso-8859-1"

You have 3 separate options:

1.  Client-based encryption.  Free with 6.5 (and you may be able to get
free
licenses for 6.0 if you're under maintenance).  Adds a load to each and
every client.  From what I've heard, it's not pretty.

2.  Media-server based encryption.  Puts the load on the media servers
instead.

3.  Encryption appliance.  Not cheap, but they encrypt at wire speed
while
writing to the tape drives.   Decru, now owned by NetApp, is the current
market leader.  Brocade is also now partnering with NetApp to build the
next
generation - basically a Decru encryption appliance built into a 32-port
Brocade switch.  Not even close to cheap :-)

We chose option 3 and have Decru appliances in front of all our tape
drives.  Everything that's written to tape is automatically encrypted -
we
don't need to think about it.  NetBackup doesn't even know the data is
encrypted and doesn't care.

http://www.netapp.com/us/products/storage-security-systems/

On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang
<unixlifebox AT gmail DOT com>wrote:

> We duplicate backup images from disks/tapes to tapes weekly using
> NetBackup vault and send the tapes offsite. We have a new requirement
> for encrypting all the tapes going offsite. I understand that
> NetBackup can do the encryption while the backup is being done. My
> question is: is it possible to encrypt the images during the vault
> process (or the duplication process of the vault)? How do you
> implement the encryption in your backup environments?
>
> Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10
>
> Thanks,
>
> Rongsheng
>

    .../Ed


Kent Eagle
MTS Infrastructure Engineer II, MCP, MCSE
Tech Services / SMSS


Visit our website at www.wilmingtontrust.com

Investment products are not insured by the FDIC or any other governmental 
agency, are not deposits of or other obligations of or guaranteed by Wilmington 
Trust or any other bank or entity, and are subject to risks, including a 
possible loss of the principal amount invested. This e-mail and any files 
transmitted with it may contain confidential and/or proprietary information.  
It is intended solely for the use of the individual or entity who is the 
intended recipient.  Unauthorized use of this information is prohibited.  If 
you have received this in error, please contact the sender by replying to this 
message and delete this material from any system it may be on.


_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu