> -----Original Message-----
> From: EMC NetWorker discussion
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Davina Treiber
> Sent: Thursday, July 24, 2008 6:06 PM
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] New libraries with LTO-4 & encryption
>
> ranClark, Patti wrote:
>
> > Some $$ have come our way and management made the decision
> that we are
> > going to LTO-4 and encryption. That being said, we've
> moved forward on
> > the research and pricing. Before we actually place the
> order I want to
> > see if anyone else has had [b]leading edge experience in
> this area that
> > might provide me with questions that I haven't thought to ask or
> > suggestions on how to handle some of the aspects that are
> new with the
> > technology. We've looked at appliances and have decided
> not to go that
> > way.
> >
> > The current system is RHEL4, NWv7.3.3 (server and clients)
> with a mix of
> > RHEL, Solaris, OSX, and Win clients,
> > 1 - SCSI attached library with 3 LTO-2 drives.
> >
> > The new system will be RHEL4 or 5 (updated with new HBAs),
> NWv7.4.2 same
> > client mix
> > 1 - FC attached library (Quantum i500) with 3 LTO-4 drives
> (IBM) - at
> > least 2 drives will have encryption enabled.
> > Software to perform encryption key management
> >
> > I've kept track of the HBA discussions, IBM drive info, Networker
> > upgrade threads, and anything else related. I expect to upgrade
> > Networker and then the OS prior to the HW switch. Not much has been
> > said about encryption. Does it work as advertised? Is it fairly
> > seamless? Networker doesn't really see any difference and
> it's business
> > as usual? How about key management? Do I believe the
> sales materials?
>
> I've used this. When you get the key management set up and
> running, yes
> it is totally transparent to NetWorker. In theory you lose a
> tiny amount
> of throughput, but the LTO-4 drives are so fast in the first
> place that
> you are unlikely to be able to drive them fast enough to see
> a difference.
>
> The question is, what are you going to use to manage the encryption?
> Some backup apps are capable of managing this, NetWorker is
> not one of
> them. TSM is, but this is probably because IBM has a vested
> interest in
> encryption since they are an LTO vendor.
>
> In my case, my customer controlled the encryption from an IBM TS3500
> library (AKA 3584). The key management software is called EKM
> and runs
> on one or more Unix boxes (probably Windows too). It was
> tricky to set
> up, even with the help of the IBM "expert" who I don't think had done
> this before. The problems mainly revolved around Java
> versions (quelle
> surprise) and some inconsistencies between different versions of the
> software on different platforms.
>
> Once it was working it worked very well. The encryption can be
> selectively enabled based on barcode ranges. You can have a
> large number
> of keys if you desire. If the key manager software is stopped, normal
> operations will continue until such time as a tape needs
> labelling, at
> which point you see perplexing (apparent) media failures.
> Restarting EKM
> fixes this.
>
> IMHO this is a better option than an encryption appliance and
> certainly
> better than the limited functionality supplied by any backup software
> package such as NetWorker. The big drawback of NetWorker
> encryption of
> course is that you lose compression when you use it. This
> will impact on
> throughput and media usage. Apparently the IBM TS1120 drives
> offer even
> better capabilities in terms of key management than LTO-4,
> but at a price.
>
> I predict that in a few years everyone will use drive-based hardware
> encryption and the other methods will die. Only low end
> drives will be
> unencrypted. I could be wrong.
>
Thank you, Davina. This info is exactly what I am looking for. Quantum
is using IBM drives in their libraries at this time. The sales rep just
sent me Quantum's White Paper on their key manager - they call it Q-EKM.
It is software that they are recommending running on a separate box from
the backup server. Hopefully, I'll be able to wrap my mind around this
big change and not find myself in a big trap.
To reply as to why not use an appliance? It is more expensive of a
solution for us. You need an appliance for each channel connection.
For my 3-tape drive library I'd need at least 2 appliances. Pricing
estimates run $20-$30K per appliance. One additional thought, I started
looking at this subject last fall. Already, one of the appliance
vendors has been acquired. This technology is still shaking out and
there is no telling who will remain in the game and offer support until
the end. IBM, HP, and Quantum will either be here or their technologies
will be supported because of their large presence.
One more observation for anyone looking to go LTO-4 with the idea that
encryption will come later, there are tape drives and libraries that
will do everything LTO-4 but NOT encryption. Not now and not later. I
was looking at a different, smaller library that supports LTO-3 and
LTO-4. I just found out that it does not support encryption. As Davina
described, the library HW/SW itself is an integral part of the
encryption management.
Patti
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
