Re: [Networker] LTO4 encryption key management
2009-11-13 10:46:24
On Nov 12, 2009, at 09:35, Clark, Patti wrote:
A quick look at Netbackup would seem to indicate that they may be
providing the encryption capability with an optional add-on.
Without the details, I am sure there are specific requirements to
make it work for a D&R or offsite set up.
Encryption / key management was released in 6.5.2 and is free
according to (8m55s):
http://www.youtube.com/watch?v=q34P5e1Kfgw
This free / unlicensed version has some limits, but works AFAICT.
Going by the 6.5.2 release notes (chapter 5), [1] all the volume keys
are stored in a file [2] which is encrypted with a 'master key' (also
stored in a file [3]). The keys (both master and 'volume') can be
either randomly generated, or algorithmically via a passphrase (so
that they can be re-created if need be).
To backup the keystore, you quiesce the key database, copy the files
some place else, and then unquiesce. To restore the keystore you
simply copy the relevant files back. The 'copy' could be a simple tar
or zip, but I'm guessing you would want to securely encrypt things
(PGP, OpenSSL). Once encrypted the file could be mailed out or FTPed
someplace (or even posted to Usenet :).
I think this functionality is sufficient for a lot of people, and I
look forward to the time when NW includes it. KMS appliances have
their place, but are overkill for people who want basic security for
stuff that's taken offsite.
[1] http://seer.entsupport.symantec.com/docs/302438.htm
[2] /opt/openv/kms/db/KMS_DATA.dat.
[3] /opt/openv/kms/key/KMS_HMKF.dat
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|