HP has a USB key for small business LTO4 encryption. It only works with
some of their libraries (MSL series) but lists for ~$2500 or so. We will
end up using it, I expect. The price is right and for my situation it is
a reasonable solution.
On Fri, 2008-07-25 at 09:14 -0400, Clark, Patti wrote:
> > -----Original Message-----
> > From: EMC NetWorker discussion
> > [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Davina Treiber
> > Sent: Thursday, July 24, 2008 6:06 PM
> > To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> > Subject: Re: [Networker] New libraries with LTO-4 & encryption
> >
> > ranClark, Patti wrote:
> >
> > > Some $$ have come our way and management made the decision
> > that we are
> > > going to LTO-4 and encryption. That being said, we've
> > moved forward on
> > > the research and pricing. Before we actually place the
> > order I want to
> > > see if anyone else has had [b]leading edge experience in
> > this area that
> > > might provide me with questions that I haven't thought to ask or
> > > suggestions on how to handle some of the aspects that are
> > new with the
> > > technology. We've looked at appliances and have decided
> > not to go that
> > > way.
> > >
> > > The current system is RHEL4, NWv7.3.3 (server and clients)
> > with a mix of
> > > RHEL, Solaris, OSX, and Win clients,
> > > 1 - SCSI attached library with 3 LTO-2 drives.
> > >
> > > The new system will be RHEL4 or 5 (updated with new HBAs),
> > NWv7.4.2 same
> > > client mix
> > > 1 - FC attached library (Quantum i500) with 3 LTO-4 drives
> > (IBM) - at
> > > least 2 drives will have encryption enabled.
> > > Software to perform encryption key management
> > >
> > > I've kept track of the HBA discussions, IBM drive info, Networker
> > > upgrade threads, and anything else related. I expect to upgrade
> > > Networker and then the OS prior to the HW switch. Not much has been
> > > said about encryption. Does it work as advertised? Is it fairly
> > > seamless? Networker doesn't really see any difference and
> > it's business
> > > as usual? How about key management? Do I believe the
> > sales materials?
> >
> > I've used this. When you get the key management set up and
> > running, yes
> > it is totally transparent to NetWorker. In theory you lose a
> > tiny amount
> > of throughput, but the LTO-4 drives are so fast in the first
> > place that
> > you are unlikely to be able to drive them fast enough to see
> > a difference.
> >
> > The question is, what are you going to use to manage the encryption?
> > Some backup apps are capable of managing this, NetWorker is
> > not one of
> > them. TSM is, but this is probably because IBM has a vested
> > interest in
> > encryption since they are an LTO vendor.
> >
> > In my case, my customer controlled the encryption from an IBM TS3500
> > library (AKA 3584). The key management software is called EKM
> > and runs
> > on one or more Unix boxes (probably Windows too). It was
> > tricky to set
> > up, even with the help of the IBM "expert" who I don't think had done
> > this before. The problems mainly revolved around Java
> > versions (quelle
> > surprise) and some inconsistencies between different versions of the
> > software on different platforms.
> >
> > Once it was working it worked very well. The encryption can be
> > selectively enabled based on barcode ranges. You can have a
> > large number
> > of keys if you desire. If the key manager software is stopped, normal
> > operations will continue until such time as a tape needs
> > labelling, at
> > which point you see perplexing (apparent) media failures.
> > Restarting EKM
> > fixes this.
> >
> > IMHO this is a better option than an encryption appliance and
> > certainly
> > better than the limited functionality supplied by any backup software
> > package such as NetWorker. The big drawback of NetWorker
> > encryption of
> > course is that you lose compression when you use it. This
> > will impact on
> > throughput and media usage. Apparently the IBM TS1120 drives
> > offer even
> > better capabilities in terms of key management than LTO-4,
> > but at a price.
> >
> > I predict that in a few years everyone will use drive-based hardware
> > encryption and the other methods will die. Only low end
> > drives will be
> > unencrypted. I could be wrong.
> >
> Thank you, Davina. This info is exactly what I am looking for. Quantum
> is using IBM drives in their libraries at this time. The sales rep just
> sent me Quantum's White Paper on their key manager - they call it Q-EKM.
> It is software that they are recommending running on a separate box from
> the backup server. Hopefully, I'll be able to wrap my mind around this
> big change and not find myself in a big trap.
>
> To reply as to why not use an appliance? It is more expensive of a
> solution for us. You need an appliance for each channel connection.
> For my 3-tape drive library I'd need at least 2 appliances. Pricing
> estimates run $20-$30K per appliance. One additional thought, I started
> looking at this subject last fall. Already, one of the appliance
> vendors has been acquired. This technology is still shaking out and
> there is no telling who will remain in the game and offer support until
> the end. IBM, HP, and Quantum will either be here or their technologies
> will be supported because of their large presence.
>
> One more observation for anyone looking to go LTO-4 with the idea that
> encryption will come later, there are tape drives and libraries that
> will do everything LTO-4 but NOT encryption. Not now and not later. I
> was looking at a different, smaller library that supports LTO-3 and
> LTO-4. I just found out that it does not support encryption. As Davina
> described, the library HW/SW itself is an integral part of the
> encryption management.
>
> Patti
>
>
> To sign off this list, send email to listserv AT listserv.temple DOT edu and
> type "signoff networker" in the body of the email. Please write to
> networker-request AT listserv.temple DOT edu if you have any problems with
> this list. You can access the archives at
> http://listserv.temple.edu/archives/networker.html or
> via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|