I recently evaluated the Veritas MSEO product, and was very impressed.

The version I received only ran on Solaris/Sparc and Windows.  I tested
the Solaris version.

It creates a software based encryption device instead of /dev/rmt/0cbn
and the encryption and compression are activated with some xml strings
in the policy keyword.  Data that is first staged to disk is not
encrypted, since the encrypting device is the /dev entry for the solaris
tape drive.  The work of encryption is handled in software, and I
noticed a significant increase in CPU load during a single and
multiplexed backup.  Restoring encrypted data also created a load on the
media server, but it was not overloaded.  I have not received
confirmation from Veritas, but with this device in place I believe
hardware compression is disabled, and you can enable software
compression when you specify a compression level in the policy keyword. 
The documentation is not specific on this subject.

If you need to encrypt data that is already written to media, you can
modify the policy keyword in the backup image, then duplicate the image
to the media server that has MSEO installed.  For users who need to
encrypt existing archives or migrate old data to new encrypted media
formats, this would be a workable but time consuming method.  Just
script it and let the computer do all the work.

The product, as I was told, is licensed by media server.  In our
environment, we could create a policy that disk staged all the off site
data, then slowly wrote it to encrypted media over the next day or two
in preparation for off site delivery.  You would need to size your media
server appropriately, since this is a processor intense operation.  The
test environment I used only has LTO-1 drives, and I was unable to get
maximum speeds out of the drive while encryption and compression were
enabled. 

The Netbackup engineers I spoke with said this feature is likely to be
better integrated into future NBU versions, which will make
implementation and activation a much cleaner process.

The keys are stored as files in a directory under /opt, and the
documentation explains how to protect this properly so you can restore
your data later.  The key files I had were ascii files that contained an
RSA key hash, which can be written to cd and locked away.  The key
directory was about 20kb.

Like many other Veritas products, this is not dependent on any one
platform and media type.  You can use it to encrypt your LTO-3 tapes, as
well as your DDS-1, if you wanted.

-Jon




> Looking for some information regarding tape encryption, anyone out
> there using it?  And if so what kind of tape degradation did you
> experience.  We are being asked to implement it and we are just trying
> to figure out what we are going to need.  Our environment is mixed
> with Windows and UNIX, all of our NBU servers are Windows (Master and
> Media) with a 20 drive LTO3 Library, over 900 clients.  About 90% of
> our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/
> MP1.  Any gotchas we need to be aware of.
>
>  
>
> Thanks
>
> Dan

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu