Backup Central

Download the PowerPoint presentation Solaris_SME_User_Guide.ppt from this directory: ftp://ftp.software.ibm.com/storage/devdrvr/Solaris

It should give you a good idea of what's involved on the Solaris end; it has command and config file examples. This same directory has the latest IBMtape drivers that you will need should you go ahead with implementation.

In my situation, we already have an IBM EKM (encryption key server) operated by another group; I am trying to setup and confirm that my Solaris system can act as a client to their EKM keyserver and will provide the keys needed to encrypt tapes on my (future, not yet purchased) IBM LTO4 encrypting tape drives.

Based on the above PowerPoint presentation it looks doable. I have EMC Networker (V7.5.1) backup software which has no encryption key management built in, so I have to roll my own.

I have a fairly modest tape operation (only about 200 tapes and a single backup server), so buying Sun's encryption key server appliances for my data center and the disaster recovery center is out. Also, my disaster recovery site vendor has (mostly) IBM LTO4 drives in their libraries, so I have the best chance of success if my key management works with those drives.

Even if I had to create an EKM server, that approach wins hands down from a cost standpoint - I could create it on a small server or even a laptop; buying multiple key management appliances isn't cost effective for a small operation.

FYI: IBM LTO4 drives do encryption "in band", the HP LTO4 drives have a separate network connection and do encryption key management "out of band".

I'll update this topic when/if I get my LTO4 drives and have some success.

Goony

Here is the web URL for the IBM EKM Encryption Key Management Server software: http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504

A few comments (although I wouldn't assume any of them are actually helpful comments):
- The LTO4 drives from IBM AND HP will work with IN-BAND and OUT-OF-BAND key managers when installed in tape libraries.
- FYI, the Quantum LTO4 drives are capable of working with in-band and out-of-band key managers, but, so far, none of the out-of-band key managers support them - I think this is more of a "market segment" kind of thing, rather than a technology issue.
- The IBM TS1120/1130 drives also work with in-band and out-of-band key management.
- IBM offers a product known as EKM which is typically used to supply keys out-of-band to IBM drives. It can also be used to feed the keys to Tivoli Storage Manager to have TSM supply the keys in band and it can be used (as mentioned in the PPT) to have the host feed the keys to the drives - but I've only ever seen this done in TSM environments. As far as I know, EKM only supports IBM LTO and TS11xx drives.
- Quantum (maybe others too??) offers a version of IBM's EKM out-of-band key manager known as Q-EKM.
- HP offers an out-of-band key managment solution for their LTO4 drives (for some reason I can't remember the name of that product), and Quantum offers an out-of-band key manager for HP drives known as Scalar Key Manager.
- Sun offers an out-of-band key management solution for HP drives with their libraries
- none of the out-of-band key managers play nice with each other. In other words, you can't easily move your key store from IBM's EKM to HP's key manager
- Out of band key managers tend to be designed to work with specific libraries (i.e. EKM and Q-EKM both work with some of the IBM and Quantum libraries - and you can backup a tape in an IBM library and restore it in a Quantum library, if both libraries have IBM drives and you have a copy of your key manager accessible by the library at the restore site.)
- There may be other companies that offer out-of-band key managers for HP and IBM drives, I'm not trying to indicate anything about the quality of those products by not mentioning them, I just haven't worked with them.
- In-band key management is mainly handled by the backup application, since the keys are sent down the data path (when using in-band) and the backup application owns the data path to the drives - and often supplies drivers for the tape drives.
- With an in-band key management solution, it doesn't really matter what brand of LTO4 tape drive is used or what library the drives are in - you can backup on an HP drive in a Sun library and restore on an IBM or SUN or HP drive in a Quantum/IBM/Sun/whatever library.
- I've heard rumors that EMC will be adding in-band key management into Networker, but you should definitely check with your EMC rep to find out if/when this is coming.
- EMC does offer some interesting key management solutions using RSA for both IBM and HP drives. I believe the RSA solution is an out-of-band key manager. It's not cheap, but it offers a lot of flexibility. Again, check with your EMC rep on this.

What you are trying to implement MAY work, but support could be very interesting. You don't mention if you have IBM LTO4 drives in your backup environment and if they are stand-alone or are in a library.
Since you already have an IBM EKM server on site with another group (and assuming there are no political or security issues with you using that server to supply keys for your group's backups), I would first check to see if your group's tape library is supported by IBM EKM.
If it is, then you have an easy option - just license your library's drives for use in EKM and point your library at the EKM server. If your group's tape library is not supported by EKM, then it might be worth persuing using EKM to supply keys to your Solaris server to then send them in-band to the drives.



Just to make this more interesting, there is a lot of stuff going on in the key management standards world, trying to get everyone working on the same page (or at least the same book). We're not there yet.

BIG DISCLAIMER: I work for a vendor in the data protection business that offers key managemnt solutions along with backup devices. I've tried to make this vendor neutral, but I'm not sure how successful I've been at that.