Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption

2007-12-07 13:54:54
Subject: Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
From: Joe Royer <jroyer AT digitalmotorworks DOT com>
To: veritas-bu AT mailman.eng.auburn DOT edu
Date: Fri, 7 Dec 2007 12:39:47 -0600 (CST) 
I hosted a SNUG meeting in October on the topic of LTO4 Encryption.  HP claims 
to do it at speed because compression is done before encryption. No space or 
speed overhead.  I haven't tried it personally yet.

However, as many have mentioned, the real trick is key management.  As of 
October, ALL the commercial key management solutions are vendor lock in. You 
can't export your key database in any usable format except to upgrade to 
another product from the same vendor.

Any vendor that isn't going to give me access to my own keys isn't getting 
through door.

LTO4 does give you the option of manual (scripting) key management. If your 
only concern is offsite tape, you don't need a differnt key for each host or 
backup image.  One key per offsite shipment, or maybe even one key per month 
may suffice.

I also attended a presentation at Storage Network World in Dallas called Intro 
to Key Management.  Although it was written as a guide to selecting a key 
management vendor, I took it as a checklist for rolling your own.  I have not 
implemented this yet, it's still 6-12 months out for me.

Here are the highlights from my notes:
- keys need an audit trail: who, creation, copies, destruction
- keys need to live as long as the data or longer
- need a means to verify key destruction at end of life
- control access to keys
- key rotation (obviously)
- prevent key modification
- verify key has not been modified
- must be available (at least 2 copies)
- storage tends to prefer symmetric keys
- may need a key encryption key to protect keys in transit
- nice to be able to move keys as a group
- versioning
- nice to have key retention tied to backup image retention
- keys should be random, chosen from entire key space (obviously)
- check for & avoid weak keys
- limit plaintext exposure
- prevent humans from viewing plaintext keys
- automate when possible
- keys should have a finite lifetime
- watch for and respond to incidents
- pay attention to government restrictions

Hopefully I didn't deviate too far from the question :)


---- Original message ----
From: bobbyrjw AT comcast DOT net

The big catch is that the "drive" supports encryption, but you have to have
something to make it encrypt.  If you have an IBM 3584 library, then you can
upgrade the firmware AND use an IBM software package to do key management
for encryption.

Just because you have an LTO-4 drive does not mean that you can encrypt.
Encryption key management is not at the drive.

I have tested encrypted vs. non-encrypted backups and did not see any
significant difference.

Bobby.

-------------- Original message --------------
From: "JAJA (Jamie Jamison)" <jamisonj AT zgi DOT com>

>  I'm researching the purchase of a new library with LTO generation 4 tape
>  drives and am interested in using the on-drive encryption to encrypt my
>  backup tapes so that if a box of tapes ever falls off of the Iron
>  Mountain truck I'm not having to explain things to the board of
>  directors and legal, update my resume and/or both. The spec sheets for
>  the LTO-4 drives that I've seen claim throughput of up to 120Mbps, but
>  as we all know the devil is in the details and for all I know that
>  throughput could have consisted of writing extremely large files
>  consisting of nothing but the letter "e" to tape, without using
>  encryption. Has anyone upgraded to LTO gen 4 yet who is also using the
>  on-drive encryption and if so what kind of throughput do you see on
>  average. Any real-world, real-life information will be greatly
>  appreciated.


-- 
Joe Royer / Sr. SysAdmin / Digital Motorworks / 512-692-1028



This message and any attachments are intended only for the use of the addressee 
and may contain information that is privileged and confidential. If the reader 
of the message is not the intended recipient or an authorized representative of 
the intended recipient, you are hereby notified that any dissemination of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by e-mail and delete the message and any 
attachments from your system.
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Veritas-bu] Poll: Windows Communications Buffer Size?, Dean Bergen
Next by Date:  [Veritas-bu] Restore field grayed out, Ben Linkon
Previous by Thread:  Re: [Veritas-bu] Poll: Windows Communications Buffer Size?, Dean Bergen
Next by Thread:  Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption, Curtis Preston
Indexes:  [Date] [Thread] [Top] [All Lists]