Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape

2011-11-30 12:03:25
Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
From: "smpt" <smpt1 AT peppas DOT gr>
To: "'John Berchmans'" <pjberchmans AT yahoo DOT com>, <VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU>, "'JeffLightner'" <JLightner AT water DOT com>
Date: Wed, 30 Nov 2011 19:02:29 +0200 
• Disaster recovery is not supported with encrypted backups.
Therefore you must not encrypt backups used for Disaster Recovery restore

This is true only if you do not replicate the keys. With library KMS you must 
have a replicated KMS and with netbackup KMS you have to replicate or backup 
the keys (unencrypted backup)


stefanos 

-----Original Message-----
From: veritas-bu-bounces AT mailman.eng.auburn DOT edu 
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of John 
Berchmans
Sent: Tuesday, November 29, 2011 7:55 PM
To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU; JeffLightner
Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape

Please read some of the limitations of encrypting backups using software or 
drive based encryption:
==========================================================

Limitations of using software-based encryption:
• Disaster recovery is not supported with encrypted backups.
Therefore you must not encrypt backups used for Disaster Recovery restore.


Limitations of using drive-based encryption:
• Drive-based decryption may not work if the encryption metadata values on the 
tape medium are tampered.
• If for eg the LTO-4 tape drive is connected through a Network Storage Router 
(NSR), then encryption is supported only if the router firmware supports 
encryption related SCSI commands.

Other factors:

- Suppose you choose both software-based and drive-based encryption on the same 
host, its possible there could be only one key file used for both.
- For security reasons, it may not be possible to delete a key. It is only 
possible to deactivate a key.
- Enabling software-based encryption reduces the effectiveness of drive-based 
compression.
- Backed up data cannot be restored if all encryption keys used during backup 
sessions are not available.
- Since encrypted backup sessions are CPU intensive and time consuming. It will 
affect the over all contingency plan,in case of disaster and if you had to 
recover the data.




--- On Tue, 11/29/11, Lightner, Jeff <JLightner AT water DOT com> wrote:

> From: Lightner, Jeff <JLightner AT water DOT com>
> Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
> To: "VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU" <VERITAS-BU AT 
> MAILMAN.ENG.AUBURN DOT EDU>
> Date: Tuesday, November 29, 2011, 8:17 PM
> Additionally for Linux/UNIX at least
> the format written on tape is using a modified version of
> GNU Tar so one could get the raw data using GNU Tar or even
> dd so you don't even need NetBackup's import
> capability.   Someone attempting to steal
> data does NOT limit themselves to restoring to the same
> filesystem/directories or even file
> names.   This is why people typically wipe
> disk drives before discarding them.
> 
> On the flip side whether you need to encrypt the data is
> dependent on what happens to the tapes and how comfortable
> you feel with it.   e.g. if they're stored in
> a safe on your site then the likelihood the physical media
> will be compromised is low.   If you're
> sending them offsite the likelihood increases although folks
> like Iron Mountain have their own security procedures to
> deal with custody of tapes.   Additionally
> they're may be other mitigating factors (e.g. your database
> management system encrypts data itself so that encryption of
> a database backup might be duplicated effort.)  Finally
> you have to measure the desire for encryption against
> keeping track of keys used for encryption permanently (and
> of course keeping such keys secure).
> 
> 
> 
> 
> 
> -----Original Message-----
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu]
> On Behalf Of Justin Piszcz
> Sent: Tuesday, November 29, 2011 4:01 AM
> To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
> Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt
> backup tape
> 
> Hi,
> 
> Not true, you can bpimport the tape, its two phases (with
> NBU) and takes 2-4
> hours per tape, this re-creates the catalog data from the
> tape media itself.
> 
> Read more here:
> http://www.symantec.com/business/support/index?page=content&id=TECH43584
> 
> Justin.
> 
> -----Original Message-----
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu]
> On Behalf Of novice123
> Sent: Tuesday, November 29, 2011 1:59 AM
> To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
> Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup
> tape
> 
> Dear All,
> 
> During a risk assessment exercise, I realized that my
> backup admin does not
> encrypt data in backup tapes. He argues, it is not required
> as an adversary
> cannot recover/read data from the backup tape, assuming its
> stolen, if he
> does not have the corresponding catalog. He further adds
> that catalog is
> kept secure. We are using Veritas netbackup 6.5. I am
> unfamiliar with the
> technology, hence would want to know the following:
> 
> a) If catalogs are secure, why should the software have a
> feature for
> encrypting data in the backup tape?
> 
> b) If the argument is invalid, how can an adversary
> read/recover the data
> from the stolen backup tapes, even if he does not have the
> catalog. Please
> help in articulating the risk.
> 
> Any help in this regard is appreciated.
> 
> Thanks in anticipation
> 
> +----------------------------------------------------------------------
> |This was sent by sanjay.nefarious AT gmail DOT com
> via Backup Central.
> |Forward SPAM to abuse AT backupcentral DOT com.
> +----------------------------------------------------------------------
> 
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
> 
> 
> 
> Athena(r), Created for the Cause(tm)
> Making a Difference in the Fight Against Breast Cancer
> 
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
> or confidential information and is for the sole use of the
> intended recipient(s). If you are not the intended
> recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be
> unlawful. If you have received this electronic transmission
> in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank
> you.
> ----------------------------------
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Veritas-bu] Why System State, George Winter
Next by Date:  Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape, David Stanaway
Previous by Thread:  Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape, John Berchmans
Next by Thread:  Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape, David Stanaway
Indexes:  [Date] [Thread] [Top] [All Lists]