ADSM-L

Re: [ADSM-L] AW: [ADSM-L] 3592 Drive Encryption

2008-01-09 13:13:17
Subject: Re: [ADSM-L] AW: [ADSM-L] 3592 Drive Encryption
From: David E Ehresman <deehre01 AT LOUISVILLE DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Wed, 9 Jan 2008 13:12:15 -0500
There are 3592-E05 drives which require an additional feature ($$) to
enable encryption.  We have six of them.

David

>>> Wanda Prather <wprather AT JASI DOT COM> 1/9/2008 11:46 AM >>>
I'm confused.

The 3592-J1A drives (the original 3592s) require an upgrade to support
encryption.
The 3592-E05 drives are now called TS1120 drives; I thought ALL those
drives
shipped with encryption.
The question may be what type of library you have, and whether the
library
requires a firmware upgrade for encryption support.

If you are going to run TSM-based encryption, I strongly recommend
upgrading
to 5.5 first.  In 5.3/5.4, the TDP clients support "transparent"
encryption;
you don't have to worry about key management, TSM generates random keys
and
manages them for you.  Starting in 5.5, the basic clients work the same
way,
with "Transparent" encryption using randomly generated keys stored in
the
TSM DB.

IF you turn on client encryption, be sure to turn on client compression
as
well.  Once the data is encrypted, the tape drives can't compress it
outboard.  The clients are smart enough to do compression before
encryption,
if both are enabled.  (This will slow down your backups, and especially
slow
down restores because of the cycles needed to decompress and decrypt.)

But I agree with Neil;  hardware encryption is faster and cleaner.  I
would
double check on your drive support....


On 1/9/08, Herrmann, Boris <Boris.Herrmann AT arag DOT de> wrote:
>
> Neil,
>
> thanks for your detailed information. I've checked with IBM support.
> Unfortunately our 3592-E05 Drives are not encryption capable. IBM
support
> told me that we can purchase a feature code (with the result, that
all our
> drives would be replaced with new one), but our management didn't
want pay
> anything.
>
> They asked me, if there would be any other way to encrypt the data
without
> any cost. I don't know any way except the TSM client encryption (but
I think
> it's not pratically to encrypt every data on the client systems, or
is it?).
> We make normal backups and archives, a lot of db2 api backups, TDP
> (Exchange, Domino, MSSQL) and Oracle RMAN backups. Every day we
backup up
> about 3-5 TB.
>
> Does anyone have any other practical implementation of encrypting
Volumes
> without hardware drive encryption?
>
> With kind regards,
> ______________________________________
>
> Boris Herrmann
> Produktion / Heterogene Systeme
>
> ARAG IT GmbH
> ARAG Platz 1, 40472 Düsseldorf
>
> Tel:  +49 (0)211 964-1137
> Fax: +49 (0)211 964-1155
> Boris.Herrmann AT ARAG DOT de 
> www.ARAG.de 
>
>
> Geschäftsführer:  Ottmar Liebler, Hanno Petersen
> Sitz und Registergericht:  Düsseldorf,  HRB 10934
> USt-ID-Nr.:  DE 119 356 473
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] Im Auftrag
von
> Strand, Neil B.
> Gesendet: Montag, 7. Januar 2008 17:03
> An: ADSM-L AT VM.MARIST DOT EDU 
> Betreff: Re: [ADSM-L] 3592 Drive Encryption
>
>
> Boris,
>   Verify that the library and drives are capable - may need a
firmware
> upgrade or feature code - check with IBM.  You will also want to
ensure you
> have the latest Atape driver installed.
>
>   A logical library is either encryption capable or not - the drives
in a
> logical library cannot be mixed.  If you implement library managed
> encryption, you have a great deal of flexibility over which volumes
get
> encrypted and with which encryption keys they are encrypted with.
>
>   I strongly encourage you to set up at least two, redundant
Encryption
> Key Managers (EKM) because if a drive is unable to get a key, you get
no
> volume to read from or write to and things can grind to a halt
quickly.
>   There are several IBM references including a Redbook on setting up
the
> EKM.
>
>   You may consider first creating a logical library with one or two
drives
> and then testing various configurations with a small number of
volumes and
> data
 that can be lost if you mess up.  If you lose the encryption
key, you
> lose the data that was saved with it - you have been warned, no key,
no
> data.
>
>   I encrypt everyting that goes on tape (primary and copy pools) on
the
> assumption that tape is easily transportable.  If a tape is ejected
from the
> library (for any reason), all of the data is still protected by
> encryption.  There is negligible performance impact with encryption
on these
> drives.
>
>   Plan on at least a 4 -6 week implementation and make sure you test
and
> document your key and data recovery procedures and key changing
procedures.
>
>   I choose to implement library managed rather than application
managed
> because it offered flexibility to have the encryption component
managed by
> our security team without having them learn TSM.  It also allows
encryption
> of media outside of TSM so if we need to ship a tarfile on tape, it
can be
> done securely with a minimum of fuss.  Library managed also allows
you to
> specify which tapes get encrypted - a volser range or a single tape
to be
> encrypted with a specific encryption key (that key could be shared
with a
> business partner).
>
>
> Cheers,
> Neil Strand
> Storage Engineer - Legg Mason
> Baltimore, MD.
> (410) 580-7491
> Whatever you can do or believe you can, begin it.
> Boldness has genius, power and magic.
>
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf
Of
> Herrmann, Boris
> Sent: Monday, January 07, 2008 10:10 AM
> To: ADSM-L AT VM.MARIST DOT EDU 
> Subject: [ADSM-L] 3592 Drive Encryption
>
> Hello TSM'ers,
>
> I've a question regarding Drive Encryption. We have a TSM Server
v5.4.1.2(on AIX
> 5.3.0.0) with a 3584 Tape Library and 3592-E05 Drives. We share this
> Library with our mainframe colleagues (one logical Library for
mainframe and
> one logical Library for our TSM environment). Now our management
wishes to
> encrypt our COPYSTORAGE-Pool volumes.
>
> My questions:
> Have anyone any experience with that issue and can give us some hints
and
> tips how to implement the Drive Encryption. Need we additional
Feature Codes
> for the Drives? Can we enable Drive Encryption only for our Logical
Library
> without interfere our mainframe colleagues?
>
>
> With kind regards,
>
> Boris Herrmann
>
> Produktion / Heterogene Systeme
>
>
>
> ARAG IT GmbH
>
> ARAG Platz 1, 40472 Düsseldorf
>
>
>
> Tel:  +49 (0)211 964-1137
>
> Fax: +49 (0)211 964-1155
>
> Boris.Herrmann AT ARAG DOT de 
>
> www.ARAG.de <http://www.arag.de/>
>
>
>
>
>
> Geschäftsführer:  Ottmar Liebler, Hanno Petersen
>
> Sitz und Registergericht:  Düsseldorf,  HRB 10934
>
> USt-ID-Nr.:  DE 119 356 473
>
>
>
>
>
> IMPORTANT:  E-mail sent through the Internet is not secure. Legg
Mason
> therefore recommends that you do not send any confidential or
sensitive
> information to us via electronic mail, including social security
numbers,
> account numbers, or personal identification numbers. Delivery, and or
timely
> delivery of Internet mail is not guaranteed. Legg Mason therefore
recommends
> that you do not send time sensitive
> or action-oriented messages to us via electronic mail.
>
> This message is intended for the addressee only and may contain
privileged
> or confidential information. Unless you are the intended recipient,
you may
> not use, copy or disclose to anyone any information contained in
this
> message. If you have received this message in error, please notify
the
> author by replying to this message and then kindly delete the
message. Thank
> you.
>