> -----Original Message-----
> From: EMC NetWorker discussion
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Bruce Breidall
> Sent: Thursday, July 24, 2008 2:12 PM
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] New libraries with LTO-4 & encryption
>
> Some additional comments.
>
> I am not familiar with 7.4, so I don't know what has changed with
> regards to encryption, but there is no key management. There is one
> place to configure "a" key in the NW server properties, and
> that is it.
>
> Encryption is controlled as an aes directive, so it is extremely
> difficult to be selective without having a configuration that is
> impossible to maintain and support. There is no way that I know of to
> tell if a saveset is encrypted via mminfo.
>
> As mentioned, NW encryption is not any kind of standard like Kerberos,
> and it is completely proprietary, and not strong at all from what I
> hear.
>
>
>
> -----Original Message-----
> From: EMC NetWorker discussion
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On
> Behalf Of George Sinclair
> Sent: Thursday, July 24, 2008 12:59 PM
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] New libraries with LTO-4 & encryption
>
> Clark, Patti wrote:
> > Hi, all.
> >
> > Some $$ have come our way and management made the decision
> that we are
> > going to LTO-4 and encryption. That being said, we've moved forward
> on
> > the research and pricing. Before we actually place the order I want
> to
> > see if anyone else has had [b]leading edge experience in this area
> that
> > might provide me with questions that I haven't thought to ask or
> > suggestions on how to handle some of the aspects that are
> new with the
> > technology. We've looked at appliances and have decided not to go
> that
> > way.
> >
> > The current system is RHEL4, NWv7.3.3 (server and clients)
> with a mix
> of
> > RHEL, Solaris, OSX, and Win clients,
> > 1 - SCSI attached library with 3 LTO-2 drives.
> >
> > The new system will be RHEL4 or 5 (updated with new HBAs), NWv7.4.2
> same
> > client mix
> > 1 - FC attached library (Quantum i500) with 3 LTO-4 drives
> (IBM) - at
> > least 2 drives will have encryption enabled.
>
> Just out of curiosity, how will you control what data gets
> encrypted and
>
> what data doesn't? Seems you'd have to specify or hard code those
> specific devices in the pools? Not sure how easy that would be to
> manage. If you're encrypting on the NW end of things - I've heard it
> supports encryption but not sure how strong it is - then I
> would think
> you would have better control as far as which groups encrypt,
> etc. Seems
>
> you could fine tune it better, but I've not played with NW 7.4 so not
> sure about that. However, it's my understanding that if encryption is
> turned on for a given drive then everything that goes to that
> drive will
>
> be encrypted. In some cases, there might be certain data you
> might not
> want encrypted??? Then again, maybe it's carte blanche on everything?
>
> Because NW is already writing the data in proprietary format,
> it doesn't
>
> seem so bad to have it encrypt it also. Otherwise, you have
> the data in
> one format and the encryption in another. Two hurdles to clear there,
> but again, I have no idea how similar or strong NW encryption
> is versus
> the drive manufacturer's encryption. Not sure what standards
> the drive
> encryption uses either?
>
> I'm not really answering your questions, but your post just go me
> thinking of more.
>
> George
>
> > Software to perform encryption key management
> >
> > I've kept track of the HBA discussions, IBM drive info, Networker
> > upgrade threads, and anything else related. I expect to upgrade
> > Networker and then the OS prior to the HW switch. Not much has been
> > said about encryption. Does it work as advertised? Is it fairly
> > seamless? Networker doesn't really see any difference and it's
> business
> > as usual? How about key management? Do I believe the sales
> materials?
> >
> > Patti Clark
> > Sr. Unix System Administrator - RHCT, GSEC
> > Office of Scientific and Technical Information
> >
> >
> >
> >
> > To sign off this list, send email to
> listserv AT listserv.temple DOT edu and
> type "signoff networker" in the body of the email. Please write to
> networker-request AT listserv.temple DOT edu if you have any
> problems with this
> list. You can access the archives at
> http://listserv.temple.edu/archives/networker.html or
> > via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> >
>
>
> --
> George Sinclair
> NOAA/NESDIS/National Oceanographic Data Center
> SSMC3 E/OC3 Room 4145 | Voice: (301) 713-3284 x210
> 1315 East West Highway | Fax: (301) 713-3301
> Silver Spring, MD 20910-3282 | Web Site: http://www.nodc.noaa.gov/
> - Any opinions expressed in this message are NOT those of the
> US Govt. -
>
Just to clarify, the encryption that I'm referring to is strictly the
LTO-4 encryption, not the Networker encryption. I understand that the
entire tape will be encrypted. I also understand that if I'm to use an
encrypted tape other than the originating system, I need to share the
key(s). Key management is an integral part of using encryption. LTO-4
is not, by default, encrypting. It is something that gets set on the
drive. Other than turning encrypting off for a specific activity, why
would I not want to have everything encrypted all of the time?
Patti
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
