FYI… I have heard that there is an Engineering
Binary that your can request from Symantec to give you more encrypted pools on
6.5.x.
Dwayne Adams
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of judy_hinchcliffe AT administaff DOT com
Sent: Tuesday, June 15, 2010 12:27
PM
To: abhishek.dhingra AT in.ibm DOT com
Cc:
veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] KMS
encryption
You can have 1 key per volume pool.
So on 6.5.5 you can encrypt 2 pools.
You can have different encryption keys for
each pool. So I have 2 different key tags depending on which pool the
tape belongs to.
In 7.0 you can have 20 pools, but again
you can only have 1 active key per volume pool.
Now if you want to change your key, you
have those “levels” of a key.
You take current key from active to
inactive, and create a new active key for that pool.
An inactive key can be used to decrypt a tape.
So if you have a new active key you can still read the tapes made with the old
key.
Where a deprecated key will stay in the
database if you want it, but you cannot use it to write or read a tape.
You said: “in case if we don’t
have encryption feature enabled at hardware on another site, is there any way
to perform the restore.
“
No – that is the whole point of
encryption.
You must have application managed
encryption turned on at the other library ( this cost me nothing on my IBM
TS3310)
And YOU MUST have the SAME keys on the
database at the other site.
TEST TEST TEST - before you start
doing all your tapes verify that you can tape a tape made here and be able to
restore it at your other site. If you cannot read an encrypted tape at
your DR site – then what is the point. You want to lock others out of
reading your tapes, not yourself.
The way to verify is when looking at your
tapes and you see the encrypted key tag on the image.
Your kms database at your other site must
have an exact matching key tag.
As kms is just a bunch of file…. You just
copy that dir over to the other server.
The only issue right now for me is 2
volume pools. I wanted 3, and had to put two groups of tapes into the
same pool.
When I upgrade to 7.x I will get to break
that group out again and have 3 encrypted volume pools.
From: Abhishek
Dhingra1 [mailto:abhishek.dhingra AT in.ibm DOT com]
Sent: Tuesday, June 15, 2010 12:41
PM
To: Judy Hinchcliffe
Cc:
veritas-bu AT mailman.eng.auburn DOT edu
Subject: Fw: [Veritas-bu] KMS
encryption
Thanks for the reply.
Today
i tried configuring the KMS on my master server(running on AIX). It worked
perfectly fine, i took help from veritas support and according to them we can
only keep one key in the key
database, it will always use the same key for encrypting the data. Every time
we need to change the encryption key , we need to define the new key and
deactivate the one that is activated.
Have
you tried configuring more then one key at the same time.
Moreover
doing restore on another site , will require encryption license to be applied
on the tape library at another site, in case if we dont have encryption feature
enabled at hardware on another site, is there any way to perform the restore.
Rgds
A D
Email : abhishek.dhingra AT in.ibm DOT com
----- Forwarded by Abhishek Dhingra1/India/IBM on
06/15/2010 11:05 PM -----
<judy_hinchcliffe AT administaff DOT com>
06/15/2010
10:51 PM
|
To
|
Abhishek Dhingra1/India/IBM@IBMIN,
<veritas-bu AT mailman.eng.auburn DOT edu>
|
cc
|
|
Subject
|
RE: [Veritas-bu] KMS encryption
|
|
Yes, I recently started.
It is one chapter in the Security and Encryption book, look for the book for
the version you are running. In the 6.5 it is chapter 6.
I have aix media servers so I cannot do MESO
If I wanted to hardware encryption using my IBM library I would have to PAY IBM
a lot of money Plus get the Tivoli
key management system.
Kms comes with NB.
I just went to my library and turned on “Application Managed Encryption”
Then I setup the kms database and made my volume pools
NOTE: in 6.5.5 you can only use 2 encrypted volume pools. In 7.0
you can use 20.
So now I am doing hardware encryption – that is where all the work is done on
the tape drive – it also does my compression so no extra over head on my
master or media.
Read the chapter carefully –
Make sure that the kms dir is not put on your catalog tape, and do no encrypt
the catalog tape ( that’s like locking your keys in the car)
I have two sites.
I made my kms on one master, then just copied the database to the other master,
this way I know all encrypted key tags match and I can read encrypted tapes at
both sites.
Once reading the chapter I saw how easy it really was.
Just make sure you document you password strings and keep them in a secure
place – not in just any file on disk where someone else could find them.
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Abhishek Dhingra1
Sent: Tuesday, June 15, 2010 12:10 PM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: [Veritas-bu] KMS encryption
Hi,,
Has anyone ever used Netbackup 6.5 internal KMS encryption
feature.
Pls share the documents link of KMS and also wanted to know merits and demerits
of using KMS encryption.
Hope some one have used KMS and could help me.
Rgds
A D
Email : abhishek.dhingra AT in.ibm DOT com