Uli,
Can you tell us a little bit more about your hardware.
Which vendor makes your tape drives and tape library?
Out experience is with IBM lto4 and lto5 tape drives in IBM 3584 (aka TS3500) tape libraries.
I believe that the tape drive support should be pretty much the same across vendors, but may be different.
If you are using netbackup and need less than 20 keys, KMS looks pretty easy.
We have over 100 different volume pools and each required a different key or key group.
We choose to use some special support that the IBM tape drives, the IBM tape library and netbackup have set up. I am not sure if this support is in other tape drives.
When the tape drive mounts a tape, it reads the volume pool number from the tape header, for a scratch tape from the header to be written to the tape. The tape drive creates a key alias using the volume pool
number. It passes this to the tape library which fetches the encryption key from an external key manager. The pool number for encryption have to be in special ranges.
So we assign the pool numbers to the volume pool’s when we create them.
But this gives us a huge number keys to work from.
len
From: veritas-bu-bounces AT mailman.eng.auburn DOT edu [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu]
On Behalf Of Ulises Rodriguez
Sent: Monday, April 25, 2011 3:03 PM
To: 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: [Veritas-bu] LT04 Encryption.
All,
What is the best way to implement encryption for tape with LT04 tape drives. I have seen that some of you are using KMS. Is this the best method? I need to make sure that
my tapes are encrypted with 3DES. Is the KMS function included with NBU 6.5.5 in Windows 2003 64 bit?
My current encryption device is coming to end of life. This is the main reason I need to be looking at the different options.
Just trying to get some ideas.
Thanks,
Uli.
