You can have 1 key per volume
pool.
So on 6.5.5 you can encrypt 2
pools.
You can have different encryption
keys for each pool. So I have 2 different key tags depending on which pool the
tape belongs to.
In 7.0 you can have 20 pools, but
again you can only have 1 active key per volume pool.
Now if you want to change your
key, you have those “levels” of a key.
You take current key from active
to inactive, and create a new active key for that pool.
An inactive key can be used to
decrypt a tape. So if you have a new active key you can still read the tapes
made with the old key.
Where a deprecated key will stay
in the database if you want it, but you cannot use it to write or read a tape.
You said: “in case if we don’t
have encryption feature enabled at hardware on another site, is there any way
to perform the restore.
“
No – that is the whole point of encryption.
You must have application managed
encryption turned on at the other library ( this cost me nothing on my IBM
TS3310)
And YOU MUST have the SAME keys on
the database at the other site.
TEST TEST TEST - before you start
doing all your tapes verify that you can tape a tape made here and be able to
restore it at your other site. If you cannot read an encrypted tape at your DR
site – then what is the point. You want to lock others out of reading your
tapes, not yourself.
The way to verify is when looking
at your tapes and you see the encrypted key tag on the image.
Your kms database at your other
site must have an exact matching key tag.
As kms is just a bunch of file…. You
just copy that dir over to the other server.
The only issue right now for me is
2 volume pools. I wanted 3, and had to put two groups of tapes into the same
pool.
When I upgrade to 7.x I will get
to break that group out again and have 3 encrypted volume pools.
From: Abhishek Dhingra1
[mailto:abhishek.dhingra AT in.ibm DOT com]
Sent: Tuesday, June 15, 2010 12:41 PM
To: Judy Hinchcliffe
Cc: veritas-bu AT mailman.eng.auburn DOT edu
Subject: Fw: [Veritas-bu] KMS encryption
Thanks for the
reply.
Today i tried
configuring the KMS on my master server(running on AIX). It worked perfectly
fine, i took help from veritas support and according to them we can only keep
one key in the key database, it will always use the same key for
encrypting the data. Every time we need to change the encryption key , we need
to define the new key and deactivate the one that is activated.
Have you tried
configuring more then one key at the same time.
Moreover doing
restore on another site , will require encryption license to be applied on the
tape library at another site, in case if we dont have encryption feature
enabled at hardware on another site, is there any way to perform the restore.
Rgds
A D
Email : abhishek.dhingra AT in.ibm DOT com
-----
Forwarded by Abhishek Dhingra1/India/IBM on 06/15/2010 11:05 PM -----
<judy_hinchcliffe AT administaff DOT com>
06/15/2010
10:51 PM
|
To
|
Abhishek
Dhingra1/India/IBM@IBMIN, <veritas-bu AT mailman.eng.auburn DOT edu>
|
cc
|
|
Subject
|
RE:
[Veritas-bu] KMS encryption
|
|
Yes, I recently started.
It is one chapter in the Security and Encryption book, look for the book for
the version you are running. In the 6.5 it is chapter 6.
I have aix media servers so I cannot do MESO
If I wanted to hardware encryption using my IBM library I would have to PAY IBM
a lot of money Plus get the Tivoli key management system.
Kms comes with NB.
I just went to my library and turned on “Application Managed Encryption”
Then I setup the kms database and made my volume pools
NOTE: in 6.5.5 you can only use 2 encrypted volume pools. In 7.0
you can use 20.
So now I am doing hardware encryption – that is where all the work is done on
the tape drive – it also does my compression so no extra over head on my
master or media.
Read the chapter carefully –
Make sure that the kms dir is not put on your catalog tape, and do no encrypt
the catalog tape ( that’s like locking your keys in the car)
I have two sites.
I made my kms on one master, then just copied the database to the other master,
this way I know all encrypted key tags match and I can read encrypted tapes at
both sites.
Once reading the chapter I saw how easy it really was.
Just make sure you document you password strings and keep them in a secure
place – not in just any file on disk where someone else could find them.
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Abhishek
Dhingra1
Sent: Tuesday, June 15, 2010 12:10 PM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: [Veritas-bu] KMS encryption
Hi,,
Has anyone ever used Netbackup 6.5 internal KMS encryption
feature.
Pls share the documents link of KMS and also wanted to know merits and demerits
of using KMS encryption.
Hope some one have used KMS and could help me.
Rgds
A D
Email : abhishek.dhingra AT in.ibm DOT com