Networker

Re: [Networker] LTO4 encryption key management

2009-11-12 09:37:29
Subject: Re: [Networker] LTO4 encryption key management
From: "Clark, Patti" <clarkp AT OSTI DOT GOV>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Thu, 12 Nov 2009 09:35:37 -0500
> -----Original Message-----
> From: EMC NetWorker discussion 
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of STANLEY R. HORWITZ
> Sent: Thursday, November 12, 2009 12:07 AM
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] LTO4 encryption key management
> 
> On Nov 11, 2009, at 11:30 PM, Gold, Evan wrote:
> 
> > Hello All,
> > 
> > I currently run LTO2 , Legato 7.5.1 on windows and want to 
> upgrade to LTO4.
> > With LTO4 I would stop using legato software encryption 
> (which is slow and cannot encrypt NDMP), and start using LTO4 
> hardware encryption.
> > I need to encrypt NDMP backups.
> > 
> > I am trying to find out the best way to manage LTO4 
> encryption keys using legato 7.5.1.
> > 
> > I want the ability to restore my LTO4 encrypted tapes at a 
> remote site using only legato and a stand alone LTO4 tape drive.
> > Does anyone know if that is possible?
> > 
> > I have spoken to library vendors and each of those claims I 
> must have their jukebox to perform restores.
> > I do not want to buy a second library just for disaster 
> recovery offsite.
> > 
> > What are other people doing for this?
> > 
> > Will Legato be able to handle the key management in a 
> future release?
> > 
> > I heard Netbackup can handle the key management now, but 
> legato cannot. 
> 
> NetWorker has no provision to handle encryption keys for 
> LTO-4 devices now. Contact EMC to see if they anticipate that 
> feature coming to NetWorker within your desired time frame. 
> 
Currently, LTO-4 encryption is a dialog between the encryption key management 
software and the LTO-4 tape drives to establish the keys being used for the 
media in the drive.  After that's done, the drive handles the encryption.  
Networker does not even enter into the conversation.  There is very little 
"management" involved for the administrator.  A set of encryption keys are 
generated when the software is installed.  The software and the key repository 
should be protected with their own separate backup to media - CD/DVD is 
recommended.  Once the encryption management software and the hardware have 
been set up, there is almost nothing more to do.  We are using Quantum's i500 
library and their QEKM software.  

As for D&R offsite, the vendors are correct.  Whatever you choose, you must 
choose them for offsite management.  A quick look at Netbackup would seem to 
indicate that they may be providing the encryption capability with an optional 
add-on.  Without the details, I am sure there are specific requirements to make 
it work for a D&R or offsite set up.

Patti Clark
DOE/OSTI

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

<Prev in Thread] Current Thread [Next in Thread>