Option 4 - Hardware encrypting tape drives such as LTO4 or IBM TS1130 or
Sun's T10000

Not necessarily a cheap option either but if your current gen of tape
drives are nearing EOL the cost between an upgrade and an upgrade with
hardware encryption is often minor (physical tape costs can be
significant though).  I like this option better because the speed impact
is minimal, if measurable, and it doesn't throw another device into the
path like Decru.  How the keys are managed is really a critical thing
with this and any encryption solution so pay close to attention to that.
One of the biggest pluses I can give for this is that once it is setup
you don't know its there (at least in our environment) and I think that
is how an encryption solution should behave.

Also, I've done significant performance testing of the Decru and I've
proven a 16% performance decrease on those devices with 2Gb/s fiber and
9940B drives so it's not really accurate to say it's at wire speed.


 
Message: 18
Date: Tue, 11 Nov 2008 11:52:07 -0600
From: "Ed Wilts" <ewilts AT ewilts DOT org>
Subject: Re: [Veritas-bu] Encrypting offsite tapes
To: "Rongsheng Fang" <unixlifebox AT gmail DOT com>
Cc: VERITAS-BU AT mailman.eng.auburn DOT edu
Message-ID:
        <995e39b60811110952s5389fbe0j29b8b49b25013017 AT mail.gmail DOT com>
Content-Type: text/plain; charset="iso-8859-1"

You have 3 separate options:

1.  Client-based encryption.  Free with 6.5 (and you may be able to get
free
licenses for 6.0 if you're under maintenance).  Adds a load to each and
every client.  From what I've heard, it's not pretty.

2.  Media-server based encryption.  Puts the load on the media servers
instead.

3.  Encryption appliance.  Not cheap, but they encrypt at wire speed
while
writing to the tape drives.   Decru, now owned by NetApp, is the current
market leader.  Brocade is also now partnering with NetApp to build the
next
generation - basically a Decru encryption appliance built into a 32-port
Brocade switch.  Not even close to cheap :-)

We chose option 3 and have Decru appliances in front of all our tape
drives.  Everything that's written to tape is automatically encrypted -
we
don't need to think about it.  NetBackup doesn't even know the data is
encrypted and doesn't care.

http://www.netapp.com/us/products/storage-security-systems/

On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang
<unixlifebox AT gmail DOT com>wrote:

> We duplicate backup images from disks/tapes to tapes weekly using
> NetBackup vault and send the tapes offsite. We have a new requirement
> for encrypting all the tapes going offsite. I understand that
> NetBackup can do the encryption while the backup is being done. My
> question is: is it possible to encrypt the images during the vault
> process (or the duplication process of the vault)? How do you
> implement the encryption in your backup environments?
>
> Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10
>
> Thanks,
>
> Rongsheng
>

    .../Ed

Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE
ewilts AT ewilts DOT org




Barclays             www.barclaycardus.com

This e-mail and any files transmitted with it may contain confidential and/or 
proprietary information. It is intended solely for the use of the individual or 
entity who is the intended recipient. Unauthorized use of this information is 
prohibited. If you have received this in error, please contact the sender by 
replying to this message and delete this material from any system it may be on.



_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu