Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape

2011-11-29 12:55:32
Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
From: John Berchmans <pjberchmans AT yahoo DOT com>
To: "VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU" <VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU>, JeffLightner <JLightner AT water DOT com>
Date: Tue, 29 Nov 2011 09:55:23 -0800 (PST) 
Please read some of the limitations of encrypting backups using software or 
drive based encryption:
==========================================================

Limitations of using software-based encryption:
• Disaster recovery is not supported with encrypted backups.
Therefore you must not encrypt backups used for Disaster Recovery restore.


Limitations of using drive-based encryption:
• Drive-based decryption may not work if the encryption metadata values on the 
tape medium are tampered.
• If for eg the LTO-4 tape drive is connected through a Network Storage Router 
(NSR), then encryption is supported only if the router firmware supports 
encryption related SCSI commands.

Other factors:

- Suppose you choose both software-based and drive-based encryption on the same 
host, its possible there could be only one key file used for both.
- For security reasons, it may not be possible to delete a key. It is only 
possible to deactivate a key.
- Enabling software-based encryption reduces the effectiveness of drive-based 
compression.
- Backed up data cannot be restored if all encryption keys used during backup 
sessions are not available.
- Since encrypted backup sessions are CPU intensive and time consuming. It will 
affect the over all contingency plan,in case of disaster and if you had to 
recover the data.




--- On Tue, 11/29/11, Lightner, Jeff <JLightner AT water DOT com> wrote:

> From: Lightner, Jeff <JLightner AT water DOT com>
> Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
> To: "VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU" <VERITAS-BU AT 
> MAILMAN.ENG.AUBURN DOT EDU>
> Date: Tuesday, November 29, 2011, 8:17 PM
> Additionally for Linux/UNIX at least
> the format written on tape is using a modified version of
> GNU Tar so one could get the raw data using GNU Tar or even
> dd so you don't even need NetBackup's import
> capability.   Someone attempting to steal
> data does NOT limit themselves to restoring to the same
> filesystem/directories or even file
> names.   This is why people typically wipe
> disk drives before discarding them.
> 
> On the flip side whether you need to encrypt the data is
> dependent on what happens to the tapes and how comfortable
> you feel with it.   e.g. if they're stored in
> a safe on your site then the likelihood the physical media
> will be compromised is low.   If you're
> sending them offsite the likelihood increases although folks
> like Iron Mountain have their own security procedures to
> deal with custody of tapes.   Additionally
> they're may be other mitigating factors (e.g. your database
> management system encrypts data itself so that encryption of
> a database backup might be duplicated effort.)  Finally
> you have to measure the desire for encryption against
> keeping track of keys used for encryption permanently (and
> of course keeping such keys secure).
> 
> 
> 
> 
> 
> -----Original Message-----
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu]
> On Behalf Of Justin Piszcz
> Sent: Tuesday, November 29, 2011 4:01 AM
> To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
> Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt
> backup tape
> 
> Hi,
> 
> Not true, you can bpimport the tape, its two phases (with
> NBU) and takes 2-4
> hours per tape, this re-creates the catalog data from the
> tape media itself.
> 
> Read more here:
> http://www.symantec.com/business/support/index?page=content&id=TECH43584
> 
> Justin.
> 
> -----Original Message-----
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu]
> On Behalf Of novice123
> Sent: Tuesday, November 29, 2011 1:59 AM
> To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
> Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup
> tape
> 
> Dear All,
> 
> During a risk assessment exercise, I realized that my
> backup admin does not
> encrypt data in backup tapes. He argues, it is not required
> as an adversary
> cannot recover/read data from the backup tape, assuming its
> stolen, if he
> does not have the corresponding catalog. He further adds
> that catalog is
> kept secure. We are using Veritas netbackup 6.5. I am
> unfamiliar with the
> technology, hence would want to know the following:
> 
> a) If catalogs are secure, why should the software have a
> feature for
> encrypting data in the backup tape?
> 
> b) If the argument is invalid, how can an adversary
> read/recover the data
> from the stolen backup tapes, even if he does not have the
> catalog. Please
> help in articulating the risk.
> 
> Any help in this regard is appreciated.
> 
> Thanks in anticipation
> 
> +----------------------------------------------------------------------
> |This was sent by sanjay.nefarious AT gmail DOT com
> via Backup Central.
> |Forward SPAM to abuse AT backupcentral DOT com.
> +----------------------------------------------------------------------
> 
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
> 
> 
> 
> Athena(r), Created for the Cause(tm)
> Making a Difference in the Fight Against Breast Cancer
> 
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
> or confidential information and is for the sole use of the
> intended recipient(s). If you are not the intended
> recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be
> unlawful. If you have received this electronic transmission
> in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank
> you.
> ----------------------------------
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Veritas-bu] SQL file stats not correct, Jim Caldwell
Next by Date:  Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape, Robyn Hirano
Previous by Thread:  Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape, Lightner, Jeff
Next by Thread:  Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape, smpt
Indexes:  [Date] [Thread] [Top] [All Lists]