Hello Curtis

Thanks, the bplabel stuff worked great.   I'm always real cautious when it comes
to labelling tapes and had assumed it would require manual drive designation.

I don't think the concern is about hackers.  I think the concern is for seizure
of mail folder backups during investigations.   Basically they want to know when
something is gone for good and hence know their liabilities.   Lawyers aren't
known to respect technical limitations when setting policies.

I'm currently thinking of extracting a list of what tapes in the pool are active
each morning and freezing them.   For the expired tapes, I'm thinking of
extracting a list of what tapes in the pool have expired but are frozen and
overwriting and unfreezing them.

Regards,
John I Wang
Sr. Systems Engineer
Steverson Information Professionals

---
Enron Broadband Services
Enron Building 1472c
ph (713) 345-4291
fax (713) 646-8063


|--------+----------------------->
|        |          curtis@collte|
|        |          ch.com       |
|        |                       |
|        |          11/09/00     |
|        |          11:21 AM     |
|        |                       |
|--------+----------------------->
  >-------------------------------------------------------------------|
  |                                                                   |
  |       To:     John Wang/Contractor/Enron Communications@Enron     |
  |       Communications                                              |
  |       cc:     veritas-bu AT mailman.eng.auburn DOT edu                   |
  |       Subject:     Re: [Veritas-bu] To ensure overwrites          |
  >-------------------------------------------------------------------|



At 10:29 AM 11/9/00 -0600, John_Wang AT enron DOT net wrote:


>Hello Curtis
>
>OK, relabeling sounds good even though I'm not sure if the degaussing concern
>applies to AIT tapes.    But since the tapes are in the library then ideally I
>would need to be able to:
>      1) take a specific drive offline so no backups will be using it
>      2) command the robot to put the specific tape in that specific drive
>      3) use bplabel with the -u or the -d specifier to label the tape in that
>drive
>      4) command the drive to eject the tape
>      5) command the robot to return the tape to it's slot
>      6) release the drive for use

Assuming that all you want to do is relabel the drive, you only have to
tell NetBackup to bplabel it, specifying the appropriate pool, density, and
name.  You do NOT need to put it in a drive, and tell it to use that
drive.  If you've got an autoloader, then NetBackup will automatically put
the tape in a drive for you.

>I guess I could set up seven pools and schedule each day's backup to a
>separate
>pool such that by the time the given day of the week comes around, the tape
>would've expired but would the active tape expire before or after it gets
>appended to? (I guess either a retention level of 6 days must be set or
>there's
>the possibility of a run being a minute before last weeks run and
>allocating the
>active tape.

Ugh.  What a mess this weird requirement is imposing on you.  What you
could do is suspend the tapes after a night's backups.  That way, the tapes
will not get appended to the next day.  Then you could relabel them.

The others are right. Relabeling is only minimal protection against a
hacker.  Someone who REALLY knew what they were doing could get past your
label.  But then they would encounter a multiplexed image from NetBackup
that they would need to decipher.  I'd like to see someone read a
multiplexed image from NetBackup w/o NetBackup.  Sure -- it's
possible.  NetBackup does it when they import tapes.  The chances of a
hacker having the knowledge to pull it off?  Pretty small, IMHO.  (If it's
that important, you could also encrypt the data going to the tape.)