Although I don't work in such a world now, I did for several years, and
I also consult in such environments quite regularly.  I'm also HUGE
proponent of encryption in general.  

What I am saying is I don't see the point in encrypting data behind the
VTL.  Since the encryption is invisible to the application, you can
still read/write the virtual tapes in TSM, which means that somebody
that wants to steal them from the application level won't be stopped.
The only way they could steal it that you would stop with disk
encryption is if they physically removed the _entire_ VTL from your
datacenter without you knowing it.  If that can happen in your
datacenter than save the money you would have spent on disk encryption
and spend it on a physical security system.  Bolting the dang thing down
with a really nice physical lock comes to mind. ;)

Start talking about real tape and my answer changes.  I think all real
tapes should be encrypted, especially ones leaving the datacenter.
They're far too easy to lose and/or steal to not do that.

---
W. Curtis Preston
Author of O'Reilly's Backup & Recovery and Using SANs and NAS
VP Data Protection
GlassHouse Technologies


-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Gill, Geoffrey L.
Sent: Friday, June 15, 2007 3:15 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Fw: Just how does a VTL work?

> You cannot encrypt the data before it goes to the VTL and expect it to
de-dupe it.  But you can encrypt when copying from the VTL to tape, or
you can put an encryption box behind the VTL head but in front of the
disk and you're OK (although I don't see the point).

You obviously don't live in a world where you have to protect financial
data, or any other data for that matter.
 
Geoff Gill 
TSM Administrator 
PeopleSoft Sr. Systems Administrator 
SAIC M/S-G1b 
(858)826-4062 
Email: geoffrey.l.gill AT saic DOT com