|
Re: [Networker] LTO4 Hardware Encryption -- proposal
2010-02-09 07:55:42
> -----Original Message-----
> From: EMC NetWorker discussion
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Francis Swasey
> Sent: Thursday, February 04, 2010 8:59 AM
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] LTO4 Hardware Encryption -- proposal
>
> Hey everyone...
>
> Back in November, I posted the message below. To this
> moment, I haven't
> heard anything from anyone.... I guess I need to take from
> that silence
> one of three truths:
>
> 1) No one is interested in NetWorker handling the
> management of keys
> to encrypt LTO4 media.
> 2) I'm the only person on the list that is using LTO4 media
> and trying
> to figure out how to handle encryption.
> 3) It was too close to Christmas and no one took the time
> to read my
> message.
>
> Please enlighten me as to which of those is the truth.
>
> Thanks,
> Frank
>
> On 11/24/09 11:35 AM, Francis Swasey wrote:
> > I recently laid out for EMC what I would like to see
> NetWorker provide
> > for LTO4 Hardware Encryption and Key Management.
> >
> > I am interested if what I have told EMC is what others
> think NetWorker
> > should provide or if you have other ideas about the LTO4 Hardware
> > Encryption. If you would rather not publicly state your agreement
> > /disagreement with the following -- you may respond to me privately.
> >
> > Here's what I told EMC:
> >
> > 1) That there needs to be an option in the media pool definition to
> > specify that volumes in this pool must have LTO4 Encryption
> enabled.
> > Whether that is set by a check box in the media pool
> property panes of
> > NMC or is (like NetBackup does) flagged by naming the pool to begin
> > with "ENCR" -- I don't care.
> >
> > 2) That the NetWorker server needs to create a new key for a volume
> > every time the volume is labeled.
> >
> > 3) That the NetWorker server needs to keep track of which
> key was used
> > for which volume.
> >
> > 4) That however the NetWorker server maintains the
> key/volume pairing,
> > it has to be securely included in the bootstrap so that mmrecov can
> > get it back in a disaster situation. And I have to know a secret
> > pass-phrase that was NOT in the bootstrap to decrypt the key/volume
> > table and run a command to put it back into NetWorker.
> >
>
> --
> Frank Swasey | http://www.uvm.edu/~fcs
> Sr Systems Administrator | Always remember: You are UNIQUE,
> University of Vermont | just like everyone else.
> "I am not young enough to know everything." - Oscar Wilde
> (1854-1900)
>
>>>>>>>>>>>>>>>>>>>>
We already use the key manager from Quantum and we do encrypt our LTO-4 tapes.
Other than making sure that we have a separate backup of the key management
software and the keys themselves, there is no overhead. It's automated and it
works. It's been a year and I haven't looked into it, but the only feature(s)
missing is the ability to import/export the keys for a DR situation. It was on
the todo list the last time that I looked. This is not dependent on Networker
which is not the software that we use under all backup circumstances. More
than likely, we would not use that feature should it appear in the capabilities.
Patti Clark
DOE/OSTI
Sr. Linux System Administrator
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|
