> -----Original Message-----
> From: EMC NetWorker discussion
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of STANLEY R. HORWITZ
> Sent: Thursday, November 12, 2009 12:07 AM
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] LTO4 encryption key management
>
> On Nov 11, 2009, at 11:30 PM, Gold, Evan wrote:
>
> > Hello All,
> >
> > I currently run LTO2 , Legato 7.5.1 on windows and want to
> upgrade to LTO4.
> > With LTO4 I would stop using legato software encryption
> (which is slow and cannot encrypt NDMP), and start using LTO4
> hardware encryption.
> > I need to encrypt NDMP backups.
> >
> > I am trying to find out the best way to manage LTO4
> encryption keys using legato 7.5.1.
> >
> > I want the ability to restore my LTO4 encrypted tapes at a
> remote site using only legato and a stand alone LTO4 tape drive.
> > Does anyone know if that is possible?
> >
> > I have spoken to library vendors and each of those claims I
> must have their jukebox to perform restores.
> > I do not want to buy a second library just for disaster
> recovery offsite.
> >
> > What are other people doing for this?
> >
> > Will Legato be able to handle the key management in a
> future release?
> >
> > I heard Netbackup can handle the key management now, but
> legato cannot.
>
> NetWorker has no provision to handle encryption keys for
> LTO-4 devices now. Contact EMC to see if they anticipate that
> feature coming to NetWorker within your desired time frame.
>
Currently, LTO-4 encryption is a dialog between the encryption key management
software and the LTO-4 tape drives to establish the keys being used for the
media in the drive. After that's done, the drive handles the encryption.
Networker does not even enter into the conversation. There is very little
"management" involved for the administrator. A set of encryption keys are
generated when the software is installed. The software and the key repository
should be protected with their own separate backup to media - CD/DVD is
recommended. Once the encryption management software and the hardware have
been set up, there is almost nothing more to do. We are using Quantum's i500
library and their QEKM software.
As for D&R offsite, the vendors are correct. Whatever you choose, you must
choose them for offsite management. A quick look at Netbackup would seem to
indicate that they may be providing the encryption capability with an optional
add-on. Without the details, I am sure there are specific requirements to make
it work for a D&R or offsite set up.
Patti Clark
DOE/OSTI
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|