Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Veritas-bu] IBM tape encryption - LME, TS3500, TS1120/TS1130 and TKLM

2012-11-01 05:39:08
Subject: [Veritas-bu] IBM tape encryption - LME, TS3500, TS1120/TS1130 and TKLM
From: Dean <dean.deano AT gmail DOT com>
To: VERITAS-BU AT mailman.eng.auburn DOT edu
Date: Thu, 1 Nov 2012 20:38:28 +1100
Hi folks,

I am in the final steps of shutting down a data centre. Our customers have just advised us that they require any tapes we send to the new data centre to be encrypted. So I'm in a mad rush to implement an encryption solution and bpduplicate as many unencrypted tapes as possible onto encrypted tapes before we shut down in a few weeks.

We have gone with Library Managed Encryption. We have an IBM TS3500 with ALMS, and TS1120 and TS1130 drives. We have purchased a Tivoli Key Lifecycle Manager (TKLM) license.

I plan to install the TKLM server on a VM tomorrow, encrypt as many tapes as I can, then shut it all down, and move the VM along with the encrypted tapes to the new data centre. (Well, not really *with* the tapes. The tapes will go via courier, the VM will be moved using disk replication).

My plan is to setup 3 new logical libraries with a couple of dedicated drives each (there are 3 seperate NBU domains), configure ALMS so that all drives in those logical libraries will write encrypted tapes, and then bpduplicate from the old unencrypted library to the encrypted library.

From my understanding, this would all be totally transparent to NetBackup.

However, I have just been reading about Internal Library Encryption Polcy (ILEP) which seems to allow you to set things up such that the library will decide whether to encrypt a tape based on it's NBU pool number.


Frankly, I'm not a security person, and reading that document does my head in.

I guess I'm just asking if anyone on this list has played with IBM tape drive encryption and TKLM, and if so, in my particular situation does it make sense to just ignore the ILEP stuff and set the logical library to encrypt everything? I'd use the "Barcode encryption" policy in ALMS, and just tell it to encrypt *every* barcode in that particular library. 

I need to keep things as simple as possible so that I can encrypt as many tapes as I can and hand over a relatively simple system.

In general, any thoughts from anyone with experience with this stuff would be appreciated.

Thanks,
Dean
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: [Veritas-bu] IBM tape encryption - LME, TS3500, TS1120/TS1130 and TKLM, stefanos
Next by Thread:  Re: [Veritas-bu] IBM tape encryption - LME, TS3500, TS1120/TS1130 and TKLM, stefanos
Indexes:  [Date] [Thread] [Top] [All Lists]