Re: [Veritas-bu] LT04 Encryption.

Hello 

The IBM library managed code for the 3584 allows one to control the encryption 
with volser ranges. We did not  want to go that route, so we control it with 
netbackup volume pool numbers. The low volume pool numbers do not trigger the 
encryption at the tape drive, the  higher ones do. So by assigning vol pool 
numbers in netbackup one can turn encryption on or not for a volume pool. 

See this doc for more information. I do not know if the other tape vendors 
support this.

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/3c8fb635ba4c5eb7862572f200177aa9/$FILE/Intro%20of%20ILEP%20V4.pdf

There is also doc you can get from the netbackup support folks

len

-----Original Message-----
From: veritas-bu-bounces AT mailman.eng.auburn DOT edu 
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of smpt
Sent: Monday, April 25, 2011 3:50 PM
To: 'Justin Piszcz'; 'Ulises Rodriguez'
Cc: veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] LT04 Encryption.

Hi,
With NetBackup 7.x you can use 20 key groups (volume pools) with 10 (or 20?) 
keys per group.

The big difference is that if you use the library's encryption key manager you 
will have all drives encryption enabled at all time.
With NetBackup key manager you can choose what backup will be encrypted.

With both key managers you have to have a good disaster plan. If you lose your 
key manager, you will lose your backups.



-----Original Message-----
From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Justin 
Piszcz
Sent: Monday, April 25, 2011 10:09 PM
To: Ulises Rodriguez
Cc: 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: Re: [Veritas-bu] LT04 Encryption.


On Mon, 25 Apr 2011, Ulises Rodriguez wrote:

> All,
>
> What is the best way to implement encryption for tape with LT04 tape
drives.  I have seen that some of you are using KMS. Is this the best method? I 
need to make sure that my tapes are encrypted with 3DES. Is the KMS function 
included with NBU 6.5.5 in Windows 2003 64 bit?
>
> My current encryption device is coming to end of life. This is the 
> main
reason I need to be looking at the different options.
>
> Just trying to get some ideas.
>
> Thanks,
>
> Uli.
>
>

Hi,

Yes KMS, it works, little to no speed difference, with 6.5.x you only get a 
maximum of 2 key groups though, e.g. two volume groups that you can use, with 
7.0 there are more.

I believe(?) the first version that supported it was 6.5.2, but it has been 
awhile.

For the OS, good question, also note, I've seen issues if your tape drive isn't 
a certain firmware rev in relation to the HBA firmware, the backups break and 
the fiber hba/link resets it self, make sure to do a lot of testing first.

Justin.

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu 
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu 
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu


_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu