Best Practice for LTO5 Encryption

[yodawoya]

All my nodes backup to FILE disk based storage pool. I copy that stgpool to an LTO based storage pool that gets stored offsite. I would like to encrypt all the data that gets copied to those tapes. What is best practice in this scenario. Is Application based encryption preferred over the Library method. Please share any insight in this matters, Thank

 

[opermty]

While another people give you a best answer, I think to the best way to do the encrytion is by the hardware, as to say, the drives has to able to encrypt the data.

 

[rowl]

I think it really depends on what your business requirements are. Over time I have become more of a fan of application side encryption, column encryption within a DB, or tokenization of data to remove all PII. If your data is correctly encrypted at the application level it is safe at rest, in motion, on disk, tape, and wont' unexpectedly show up in a core dump on a crashed server. However, if your only requirement is a checkbox on an audit form "Is data encrypted on tape? Y/N?" encrypting tape drives are a good solution that's fairly simple to implement.

Unfortunately in my experience with encryption most requirements are driven my some vague audit requirement rather than in the true spirit of protecting sensitive data from prying eyes.

Problems can arise if you are depending on your backup infrastructure do manage space using deduplication, as deduplication and compression are not complimentary technologies.

-Rowl