Backup Central

All,

What is the best way to implement encryption for tape with LT04 tape drives. I have seen that some of you are using KMS. Is this the best method? I need to make sure that my tapes are encrypted with 3DES. Is the KMS function included with NBU 6.5.5 in Windows 2003 64 bit?

My current encryption device is coming to end of life. This is the main reason I need to be looking at the different options.

Just trying to get some ideas.

Thanks,

Uli.

On Mon, 25 Apr 2011, Ulises Rodriguez wrote:

All,

What is the best way to implement encryption for tape with LT04 tape drives. I have seen that some of you are using KMS. Is this the best method? I need to make sure that my tapes are encrypted with 3DES. Is the KMS function included with NBU 6.5.5 in Windows 2003 64 bit?

My current encryption device is coming to end of life. This is the main reason I need to be looking at the different options.

Just trying to get some ideas.

Thanks,

Uli.



Hi,

Yes KMS, it works, little to no speed difference, with 6.5.x you only
get a maximum of 2 key groups though, e.g. two volume groups that you can
use, with 7.0 there are more.

I believe(?) the first version that supported it was 6.5.2, but it has been
awhile.

For the OS, good question, also note, I've seen issues if your tape drive
isn't a certain firmware rev in relation to the HBA firmware, the backups
break and the fiber hba/link resets it self, make sure to do a lot of testing
first.

Justin.

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

Hi,
With NetBackup 7.x you can use 20 key groups (volume pools) with 10 (or 20?)
keys per group.

The big difference is that if you use the library's encryption key manager
you will have all drives encryption enabled at all time.
With NetBackup key manager you can choose what backup will be encrypted.

With both key managers you have to have a good disaster plan. If you lose
your key manager, you will lose your backups.



-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of Justin
Piszcz
Sent: Monday, April 25, 2011 10:09 PM
To: Ulises Rodriguez
Cc: 'veritas-bu < at > mailman.eng.auburn.edu'
Subject: Re: [Veritas-bu] LT04 Encryption.


On Mon, 25 Apr 2011, Ulises Rodriguez wrote:

All,

What is the best way to implement encryption for tape with LT04 tape
drives. I have seen that some of you are using KMS. Is this the best
method? I need to make sure that my tapes are encrypted with 3DES. Is the
KMS function included with NBU 6.5.5 in Windows 2003 64 bit?

My current encryption device is coming to end of life. This is the main
reason I need to be looking at the different options.

Just trying to get some ideas.

Thanks,

Uli.



Hi,

Yes KMS, it works, little to no speed difference, with 6.5.x you only
get a maximum of 2 key groups though, e.g. two volume groups that you can
use, with 7.0 there are more.

I believe(?) the first version that supported it was 6.5.2, but it has been
awhile.

For the OS, good question, also note, I've seen issues if your tape drive
isn't a certain firmware rev in relation to the HBA firmware, the backups
break and the fiber hba/link resets it self, make sure to do a lot of
testing
first.

Justin.

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

Uli,

Can you tell us a little bit more about your hardware.

Which vendor makes your tape drives and tape library?

Out experience is with IBM lto4 and lto5 tape drives in IBM 3584 (aka TS3500) tape libraries.
I believe that the tape drive support should be pretty much the same across vendors, but may be different.

If you are using netbackup and need less than 20 keys, KMS looks pretty easy.

We have over 100 different volume pools and each required a different key or key group.

We choose to use some special support that the IBM tape drives, the IBM tape library and netbackup have set up. I am not sure if this support is in other tape drives.

When the tape drive mounts a tape, it reads the volume pool number from the tape header, for a scratch tape from the header to be written to the tape. The tape drive creates a key alias using the volume pool number. It passes this to the tape library which fetches the encryption key from an external key manager. The pool number for encryption have to be in special ranges.
So we assign the pool numbers to the volume pool’s when we create them.

But this gives us a huge number keys to work from.


len


From: veritas-bu-bounces < at > mailman.eng.auburn.edu [mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of Ulises Rodriguez
Sent: Monday, April 25, 2011 3:03 PM
To: 'veritas-bu < at > mailman.eng.auburn.edu'
Subject: [Veritas-bu] LT04 Encryption.



All,

What is the best way to implement encryption for tape with LT04 tape drives. I have seen that some of you are using KMS. Is this the best method? I need to make sure that my tapes are encrypted with 3DES. Is the KMS function included with NBU 6.5.5 in Windows 2003 64 bit?

My current encryption device is coming to end of life. This is the main reason I need to be looking at the different options.

Just trying to get some ideas.

Thanks,

Uli.

Hello

The IBM library managed code for the 3584 allows one to control the encryption with volser ranges. We did not want to go that route, so we control it with netbackup volume pool numbers. The low volume pool numbers do not trigger the encryption at the tape drive, the higher ones do. So by assigning vol pool numbers in netbackup one can turn encryption on or not for a volume pool.

See this doc for more information. I do not know if the other tape vendors support this.

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/3c8fb635ba4c5eb7862572f200177aa9/$FILE/Intro%20of%20ILEP%20V4.pdf

There is also doc you can get from the netbackup support folks

len

-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu [mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of smpt
Sent: Monday, April 25, 2011 3:50 PM
To: 'Justin Piszcz'; 'Ulises Rodriguez'
Cc: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] LT04 Encryption.

Hi,
With NetBackup 7.x you can use 20 key groups (volume pools) with 10 (or 20?) keys per group.

The big difference is that if you use the library's encryption key manager you will have all drives encryption enabled at all time.
With NetBackup key manager you can choose what backup will be encrypted.

With both key managers you have to have a good disaster plan. If you lose your key manager, you will lose your backups.



-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of Justin Piszcz
Sent: Monday, April 25, 2011 10:09 PM
To: Ulises Rodriguez
Cc: 'veritas-bu < at > mailman.eng.auburn.edu'
Subject: Re: [Veritas-bu] LT04 Encryption.


On Mon, 25 Apr 2011, Ulises Rodriguez wrote:

All,

What is the best way to implement encryption for tape with LT04 tape
drives. I have seen that some of you are using KMS. Is this the best method? I need to make sure that my tapes are encrypted with 3DES. Is the KMS function included with NBU 6.5.5 in Windows 2003 64 bit?

My current encryption device is coming to end of life. This is the
main
reason I need to be looking at the different options.

Just trying to get some ideas.

Thanks,

Uli.



Hi,

Yes KMS, it works, little to no speed difference, with 6.5.x you only get a maximum of 2 key groups though, e.g. two volume groups that you can use, with 7.0 there are more.

I believe(?) the first version that supported it was 6.5.2, but it has been awhile.

For the OS, good question, also note, I've seen issues if your tape drive isn't a certain firmware rev in relation to the HBA firmware, the backups break and the fiber hba/link resets it self, make sure to do a lot of testing first.

Justin.

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

Very useful info.
Is the IBM solution free of charge or you have to pay from the EKM software?

I'm asking about the software, not the implementation.

Thanks
Stefanos


-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of Len Boyle
Sent: Monday, April 25, 2011 11:11 PM
To: smpt; 'Justin Piszcz'; 'Ulises Rodriguez'
Cc: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] LT04 Encryption.

Hello

The IBM library managed code for the 3584 allows one to control the
encryption with volser ranges. We did not want to go that route, so we
control it with netbackup volume pool numbers. The low volume pool numbers
do not trigger the encryption at the tape drive, the higher ones do. So by
assigning vol pool numbers in netbackup one can turn encryption on or not
for a volume pool.

See this doc for more information. I do not know if the other tape vendors
support this.

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71
006d2e0a/3c8fb635ba4c5eb7862572f200177aa9/$FILE/Intro%20of%20ILEP%20V4.pdf

There is also doc you can get from the netbackup support folks

len

-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of smpt
Sent: Monday, April 25, 2011 3:50 PM
To: 'Justin Piszcz'; 'Ulises Rodriguez'
Cc: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] LT04 Encryption.

Hi,
With NetBackup 7.x you can use 20 key groups (volume pools) with 10 (or 20?)
keys per group.

The big difference is that if you use the library's encryption key manager
you will have all drives encryption enabled at all time.
With NetBackup key manager you can choose what backup will be encrypted.

With both key managers you have to have a good disaster plan. If you lose
your key manager, you will lose your backups.



-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of Justin
Piszcz
Sent: Monday, April 25, 2011 10:09 PM
To: Ulises Rodriguez
Cc: 'veritas-bu < at > mailman.eng.auburn.edu'
Subject: Re: [Veritas-bu] LT04 Encryption.


On Mon, 25 Apr 2011, Ulises Rodriguez wrote:

All,

What is the best way to implement encryption for tape with LT04 tape
drives. I have seen that some of you are using KMS. Is this the best
method? I need to make sure that my tapes are encrypted with 3DES. Is the
KMS function included with NBU 6.5.5 in Windows 2003 64 bit?

My current encryption device is coming to end of life. This is the
main
reason I need to be looking at the different options.

Just trying to get some ideas.

Thanks,

Uli.



Hi,

Yes KMS, it works, little to no speed difference, with 6.5.x you only get a
maximum of 2 key groups though, e.g. two volume groups that you can use,
with 7.0 there are more.

I believe(?) the first version that supported it was 6.5.2, but it has been
awhile.

For the OS, good question, also note, I've seen issues if your tape drive
isn't a certain firmware rev in relation to the HBA firmware, the backups
break and the fiber hba/link resets it self, make sure to do a lot of
testing first.

Justin.

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

You have to pay to have encryption turned on for the tape library. This is a fixed one time charge. Which can be bundled in like the alms feature code.

The older ekm java base software is free on an IBM platform, aix, mvs, os400, linux.

The newer Tivoli software is not free.

-----Original Message-----
From: smpt [mailto:smpt1 < at > peppas.gr]
Sent: Monday, April 25, 2011 5:32 PM
To: Len Boyle; 'Justin Piszcz'; 'Ulises Rodriguez'
Cc: veritas-bu < at > mailman.eng.auburn.edu
Subject: RE: [Veritas-bu] LT04 Encryption.

Very useful info.
Is the IBM solution free of charge or you have to pay from the EKM software?

I'm asking about the software, not the implementation.

Thanks
Stefanos


-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of Len Boyle
Sent: Monday, April 25, 2011 11:11 PM
To: smpt; 'Justin Piszcz'; 'Ulises Rodriguez'
Cc: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] LT04 Encryption.

Hello

The IBM library managed code for the 3584 allows one to control the encryption with volser ranges. We did not want to go that route, so we control it with netbackup volume pool numbers. The low volume pool numbers do not trigger the encryption at the tape drive, the higher ones do. So by assigning vol pool numbers in netbackup one can turn encryption on or not for a volume pool.

See this doc for more information. I do not know if the other tape vendors support this.

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71
006d2e0a/3c8fb635ba4c5eb7862572f200177aa9/$FILE/Intro%20of%20ILEP%20V4.pdf

There is also doc you can get from the netbackup support folks

len

-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of smpt
Sent: Monday, April 25, 2011 3:50 PM
To: 'Justin Piszcz'; 'Ulises Rodriguez'
Cc: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] LT04 Encryption.

Hi,
With NetBackup 7.x you can use 20 key groups (volume pools) with 10 (or 20?) keys per group.

The big difference is that if you use the library's encryption key manager you will have all drives encryption enabled at all time.
With NetBackup key manager you can choose what backup will be encrypted.

With both key managers you have to have a good disaster plan. If you lose your key manager, you will lose your backups.



-----Original Message-----
From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of Justin Piszcz
Sent: Monday, April 25, 2011 10:09 PM
To: Ulises Rodriguez
Cc: 'veritas-bu < at > mailman.eng.auburn.edu'
Subject: Re: [Veritas-bu] LT04 Encryption.


On Mon, 25 Apr 2011, Ulises Rodriguez wrote:

All,

What is the best way to implement encryption for tape with LT04 tape
drives. I have seen that some of you are using KMS. Is this the best method? I need to make sure that my tapes are encrypted with 3DES. Is the KMS function included with NBU 6.5.5 in Windows 2003 64 bit?

My current encryption device is coming to end of life. This is the
main
reason I need to be looking at the different options.

Just trying to get some ideas.

Thanks,

Uli.



Hi,

Yes KMS, it works, little to no speed difference, with 6.5.x you only get a maximum of 2 key groups though, e.g. two volume groups that you can use, with 7.0 there are more.

I believe(?) the first version that supported it was 6.5.2, but it has been awhile.

For the OS, good question, also note, I've seen issues if your tape drive isn't a certain firmware rev in relation to the HBA firmware, the backups break and the fiber hba/link resets it self, make sure to do a lot of testing first.

Justin.

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu



_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu