Please read some of the limitations of encrypting backups using software or
drive based encryption:
==========================================================
Limitations of using software-based encryption:
• Disaster recovery is not supported with encrypted backups.
Therefore you must not encrypt backups used for Disaster Recovery restore.
Limitations of using drive-based encryption:
• Drive-based decryption may not work if the encryption metadata values on the
tape medium are tampered.
• If for eg the LTO-4 tape drive is connected through a Network Storage Router
(NSR), then encryption is supported only if the router firmware supports
encryption related SCSI commands.
Other factors:
- Suppose you choose both software-based and drive-based encryption on the same
host, its possible there could be only one key file used for both.
- For security reasons, it may not be possible to delete a key. It is only
possible to deactivate a key.
- Enabling software-based encryption reduces the effectiveness of drive-based
compression.
- Backed up data cannot be restored if all encryption keys used during backup
sessions are not available.
- Since encrypted backup sessions are CPU intensive and time consuming. It will
affect the over all contingency plan,in case of disaster and if you had to
recover the data.
--- On Tue, 11/29/11, Lightner, Jeff <JLightner AT water DOT com> wrote:
> From: Lightner, Jeff <JLightner AT water DOT com>
> Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
> To: "VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU" <VERITAS-BU AT
> MAILMAN.ENG.AUBURN DOT EDU>
> Date: Tuesday, November 29, 2011, 8:17 PM
> Additionally for Linux/UNIX at least
> the format written on tape is using a modified version of
> GNU Tar so one could get the raw data using GNU Tar or even
> dd so you don't even need NetBackup's import
> capability. Someone attempting to steal
> data does NOT limit themselves to restoring to the same
> filesystem/directories or even file
> names. This is why people typically wipe
> disk drives before discarding them.
>
> On the flip side whether you need to encrypt the data is
> dependent on what happens to the tapes and how comfortable
> you feel with it. e.g. if they're stored in
> a safe on your site then the likelihood the physical media
> will be compromised is low. If you're
> sending them offsite the likelihood increases although folks
> like Iron Mountain have their own security procedures to
> deal with custody of tapes. Additionally
> they're may be other mitigating factors (e.g. your database
> management system encrypts data itself so that encryption of
> a database backup might be duplicated effort.) Finally
> you have to measure the desire for encryption against
> keeping track of keys used for encryption permanently (and
> of course keeping such keys secure).
>
>
>
>
>
> -----Original Message-----
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu]
> On Behalf Of Justin Piszcz
> Sent: Tuesday, November 29, 2011 4:01 AM
> To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
> Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt
> backup tape
>
> Hi,
>
> Not true, you can bpimport the tape, its two phases (with
> NBU) and takes 2-4
> hours per tape, this re-creates the catalog data from the
> tape media itself.
>
> Read more here:
> http://www.symantec.com/business/support/index?page=content&id=TECH43584
>
> Justin.
>
> -----Original Message-----
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu]
> On Behalf Of novice123
> Sent: Tuesday, November 29, 2011 1:59 AM
> To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
> Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup
> tape
>
> Dear All,
>
> During a risk assessment exercise, I realized that my
> backup admin does not
> encrypt data in backup tapes. He argues, it is not required
> as an adversary
> cannot recover/read data from the backup tape, assuming its
> stolen, if he
> does not have the corresponding catalog. He further adds
> that catalog is
> kept secure. We are using Veritas netbackup 6.5. I am
> unfamiliar with the
> technology, hence would want to know the following:
>
> a) If catalogs are secure, why should the software have a
> feature for
> encrypting data in the backup tape?
>
> b) If the argument is invalid, how can an adversary
> read/recover the data
> from the stolen backup tapes, even if he does not have the
> catalog. Please
> help in articulating the risk.
>
> Any help in this regard is appreciated.
>
> Thanks in anticipation
>
> +----------------------------------------------------------------------
> |This was sent by sanjay.nefarious AT gmail DOT com
> via Backup Central.
> |Forward SPAM to abuse AT backupcentral DOT com.
> +----------------------------------------------------------------------
>
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
>
>
>
> Athena(r), Created for the Cause(tm)
> Making a Difference in the Fight Against Breast Cancer
>
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
> or confidential information and is for the sole use of the
> intended recipient(s). If you are not the intended
> recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be
> unlawful. If you have received this electronic transmission
> in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank
> you.
> ----------------------------------
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|