Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Encrpyption

2008-01-10 22:16:14
Subject: Re: [Networker] Encrpyption
From: Stan Horwitz <stan AT TEMPLE DOT EDU>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Thu, 10 Jan 2008 22:08:06 -0500 
On Jan 10, 2008, at 9:38 PM, David Magda wrote:


On Jan 10, 2008, at 16:35, lemons_terry AT emc DOT com wrote:
All of these require a supporting environment to provide key management, drive configuration, etc. For the TS1120 and T10000A at least, this adds tens of thousands of dollars to the cost of the drive itself, in my experience.
I'm probably missing something, but why can't Networker do the key management?
I would think that the logical way to implement encryption for these tape drives to have a SCSI command where you send a key and say "enable encryption". The back up software would then keep the key in its database and tie it to the back up session.
Do you propose that some Joe NetWorker administrator have access to his or her organization's security keys? I for one would not want to have that level of responsibility. The person who holds the keys should be in the data security group, not the backup group. I have experimented with NetWorker 7.4's encryption feature last summer. As soon as I got it working, my boss asked me never to use it again, which is what I was hoping would happen. What would happen if the only person who knows what the encryption key is gets struck by lightning after having just changed the key in NetWorker? Without the key that was used when an encrypted backup is done, recovering that data would be impossible.
Then, when you want to restore or clone, Networker (or whatever) would look up the file's save set, get the key, send it to the drive, and tell it to decrypt the data as it comes off the media.
Does anyone know of any documents or white papers that describes the architecture of this?
Google is your friend. My favorite way to do encryption is http://www.ingrian.com but there are also other options. 

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] Encrpyption, David Magda
Next by Date:  Re: [Networker] Encrpyption, Siobhán Ellis
Previous by Thread:  Re: [Networker] Encrpyption, David Magda
Next by Thread:  Re: [Networker] Encrpyption, Siobhán Ellis
Indexes:  [Date] [Thread] [Top] [All Lists]