Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
On Fri, Dec 07, 2007 at 01:54:13AM +, [EMAIL PROTECTED] wrote: The big catch is that the drive supports encryption, but you have to have something to make it encrypt. If you have an IBM 3584 library, then you can upgrade the firmware AND use an IBM software package to do key management for encryption. Spectralogic also offers a key management program for LTO4 built into some of their libraries. I'm assuming there are more, but those are the only ones that I've noticed. -- Darren Dunham [EMAIL PROTECTED] Senior Technical Consultant TAOShttp://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area This line left intentionally blank to confuse you. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
Quantum also has an upgrade to the firmware on the Scalar i2Ks that allows on the box key management and encryption via LTO4s. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 06, 2007 8:54 PM To: JAJA (Jamie Jamison); veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption The big catch is that the drive supports encryption, but you have to have something to make it encrypt. If you have an IBM 3584 library, then you can upgrade the firmware AND use an IBM software package to do key management for encryption. Just because you have an LTO-4 drive does not mean that you can encrypt. Encryption key management is not at the drive. I have tested encrypted vs. non-encrypted backups and did not see any significant difference. Bobby. -- Original message -- From: JAJA (Jamie Jamison) [EMAIL PROTECTED] I'm researching the purchase of a new library with LTO generation 4 tape drives and am interested in using the on-drive encryption to encrypt my backup tapes so that if a box of tapes ever falls off of the Iron Mountain truck I'm not having to explain things to the board of directors and legal, update my resume and/or both. The spec sheets for the LTO-4 drives that I've seen claim throughput of up to 120Mbps, but as we all know the devil is in the details and for all I know that throughput could have consisted of writing extremely large files consisting of nothing but the letter e to tape, without using encryption. Has anyone upgraded to LTO gen 4 yet who is also using the on-drive ! encrypt ion and if so what kind of throughput do you see on average. Any real-world, real-life information will be greatly appreciated. Thank You, Jamie Jamison ZymoGenetics, Seattle ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu smime.p7s Description: S/MIME cryptographic signature ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
HP's LTO IV tape drive will also have native encryption capability and will therefore be library independent. Brooks, Jason [EMAIL PROTECTED] 12/7/2007 8:46 AM Quantum also has an upgrade to the firmware on the Scalar i2Ks that allows on the box key management and encryption via LTO4s. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 06, 2007 8:54 PM To: JAJA (Jamie Jamison); veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption The big catch is that the drive supports encryption, but you have to have something to make it encrypt. If you have an IBM 3584 library, then you can upgrade the firmware AND use an IBM software package to do key management for encryption. Just because you have an LTO-4 drive does not mean that you can encrypt. Encryption key management is not at the drive. I have tested encrypted vs. non-encrypted backups and did not see any significant difference. Bobby. -- Original message -- From: JAJA (Jamie Jamison) [EMAIL PROTECTED] I'm researching the purchase of a new library with LTO generation 4 tape drives and am interested in using the on-drive encryption to encrypt my backup tapes so that if a box of tapes ever falls off of the Iron Mountain truck I'm not having to explain things to the board of directors and legal, update my resume and/or both. The spec sheets for the LTO-4 drives that I've seen claim throughput of up to 120Mbps, but as we all know the devil is in the details and for all I know that throughput could have consisted of writing extremely large files consisting of nothing but the letter e to tape, without using encryption. Has anyone upgraded to LTO gen 4 yet who is also using the on-drive ! encrypt ion and if so what kind of throughput do you see on average. Any real-world, real-life information will be greatly appreciated. Thank You, Jamie Jamison ZymoGenetics, Seattle ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
I hosted a SNUG meeting in October on the topic of LTO4 Encryption. HP claims to do it at speed because compression is done before encryption. No space or speed overhead. I haven't tried it personally yet. However, as many have mentioned, the real trick is key management. As of October, ALL the commercial key management solutions are vendor lock in. You can't export your key database in any usable format except to upgrade to another product from the same vendor. Any vendor that isn't going to give me access to my own keys isn't getting through door. LTO4 does give you the option of manual (scripting) key management. If your only concern is offsite tape, you don't need a differnt key for each host or backup image. One key per offsite shipment, or maybe even one key per month may suffice. I also attended a presentation at Storage Network World in Dallas called Intro to Key Management. Although it was written as a guide to selecting a key management vendor, I took it as a checklist for rolling your own. I have not implemented this yet, it's still 6-12 months out for me. Here are the highlights from my notes: - keys need an audit trail: who, creation, copies, destruction - keys need to live as long as the data or longer - need a means to verify key destruction at end of life - control access to keys - key rotation (obviously) - prevent key modification - verify key has not been modified - must be available (at least 2 copies) - storage tends to prefer symmetric keys - may need a key encryption key to protect keys in transit - nice to be able to move keys as a group - versioning - nice to have key retention tied to backup image retention - keys should be random, chosen from entire key space (obviously) - check for avoid weak keys - limit plaintext exposure - prevent humans from viewing plaintext keys - automate when possible - keys should have a finite lifetime - watch for and respond to incidents - pay attention to government restrictions Hopefully I didn't deviate too far from the question :) Original message From: [EMAIL PROTECTED] The big catch is that the drive supports encryption, but you have to have something to make it encrypt. If you have an IBM 3584 library, then you can upgrade the firmware AND use an IBM software package to do key management for encryption. Just because you have an LTO-4 drive does not mean that you can encrypt. Encryption key management is not at the drive. I have tested encrypted vs. non-encrypted backups and did not see any significant difference. Bobby. -- Original message -- From: JAJA (Jamie Jamison) [EMAIL PROTECTED] I'm researching the purchase of a new library with LTO generation 4 tape drives and am interested in using the on-drive encryption to encrypt my backup tapes so that if a box of tapes ever falls off of the Iron Mountain truck I'm not having to explain things to the board of directors and legal, update my resume and/or both. The spec sheets for the LTO-4 drives that I've seen claim throughput of up to 120Mbps, but as we all know the devil is in the details and for all I know that throughput could have consisted of writing extremely large files consisting of nothing but the letter e to tape, without using encryption. Has anyone upgraded to LTO gen 4 yet who is also using the on-drive encryption and if so what kind of throughput do you see on average. Any real-world, real-life information will be greatly appreciated. -- Joe Royer / Sr. SysAdmin / Digital Motorworks / 512-692-1028 This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
Joe, That's a marvelous answer to this question. Who taught that session at SNW? --- W. Curtis Preston Backup Blog @ www.backupcentral.com VP Data Protection, GlassHouse Technologies -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Royer Sent: Friday, December 07, 2007 10:40 AM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption I hosted a SNUG meeting in October on the topic of LTO4 Encryption. HP claims to do it at speed because compression is done before encryption. No space or speed overhead. I haven't tried it personally yet. However, as many have mentioned, the real trick is key management. As of October, ALL the commercial key management solutions are vendor lock in. You can't export your key database in any usable format except to upgrade to another product from the same vendor. Any vendor that isn't going to give me access to my own keys isn't getting through door. LTO4 does give you the option of manual (scripting) key management. If your only concern is offsite tape, you don't need a differnt key for each host or backup image. One key per offsite shipment, or maybe even one key per month may suffice. I also attended a presentation at Storage Network World in Dallas called Intro to Key Management. Although it was written as a guide to selecting a key management vendor, I took it as a checklist for rolling your own. I have not implemented this yet, it's still 6-12 months out for me. Here are the highlights from my notes: - keys need an audit trail: who, creation, copies, destruction - keys need to live as long as the data or longer - need a means to verify key destruction at end of life - control access to keys - key rotation (obviously) - prevent key modification - verify key has not been modified - must be available (at least 2 copies) - storage tends to prefer symmetric keys - may need a key encryption key to protect keys in transit - nice to be able to move keys as a group - versioning - nice to have key retention tied to backup image retention - keys should be random, chosen from entire key space (obviously) - check for avoid weak keys - limit plaintext exposure - prevent humans from viewing plaintext keys - automate when possible - keys should have a finite lifetime - watch for and respond to incidents - pay attention to government restrictions Hopefully I didn't deviate too far from the question :) Original message From: [EMAIL PROTECTED] The big catch is that the drive supports encryption, but you have to have something to make it encrypt. If you have an IBM 3584 library, then you can upgrade the firmware AND use an IBM software package to do key management for encryption. Just because you have an LTO-4 drive does not mean that you can encrypt. Encryption key management is not at the drive. I have tested encrypted vs. non-encrypted backups and did not see any significant difference. Bobby. -- Original message -- From: JAJA (Jamie Jamison) [EMAIL PROTECTED] I'm researching the purchase of a new library with LTO generation 4 tape drives and am interested in using the on-drive encryption to encrypt my backup tapes so that if a box of tapes ever falls off of the Iron Mountain truck I'm not having to explain things to the board of directors and legal, update my resume and/or both. The spec sheets for the LTO-4 drives that I've seen claim throughput of up to 120Mbps, but as we all know the devil is in the details and for all I know that throughput could have consisted of writing extremely large files consisting of nothing but the letter e to tape, without using encryption. Has anyone upgraded to LTO gen 4 yet who is also using the on-drive encryption and if so what kind of throughput do you see on average. Any real-world, real-life information will be greatly appreciated. -- Joe Royer / Sr. SysAdmin / Digital Motorworks / 512-692-1028 This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
I'm researching the purchase of a new library with LTO generation 4 tape drives and am interested in using the on-drive encryption to encrypt my backup tapes so that if a box of tapes ever falls off of the Iron Mountain truck I'm not having to explain things to the board of directors and legal, update my resume and/or both. The spec sheets for the LTO-4 drives that I've seen claim throughput of up to 120Mbps, but as we all know the devil is in the details and for all I know that throughput could have consisted of writing extremely large files consisting of nothing but the letter e to tape, without using encryption. Has anyone upgraded to LTO gen 4 yet who is also using the on-drive encryption and if so what kind of throughput do you see on average. Any real-world, real-life information will be greatly appreciated. Thank You, Jamie Jamison ZymoGenetics, Seattle ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] LTO Generation 4 tape throughput with on-drive encryption
The big catch is that the drive supports encryption, but you have to have something to make it encrypt. If you have an IBM 3584 library, then you can upgrade the firmware AND use an IBM software package to do key management for encryption. Just because you have an LTO-4 drive does not mean that you can encrypt. Encryption key management is not at the drive. I have tested encrypted vs. non-encrypted backups and did not see any significant difference. Bobby. -- Original message -- From: JAJA (Jamie Jamison) [EMAIL PROTECTED] I'm researching the purchase of a new library with LTO generation 4 tape drives and am interested in using the on-drive encryption to encrypt my backup tapes so that if a box of tapes ever falls off of the Iron Mountain truck I'm not having to explain things to the board of directors and legal, update my resume and/or both. The spec sheets for the LTO-4 drives that I've seen claim throughput of up to 120Mbps, but as we all know the devil is in the details and for all I know that throughput could have consisted of writing extremely large files consisting of nothing but the letter e to tape, without using encryption. Has anyone upgraded to LTO gen 4 yet who is also using the on-drive encryption and if so what kind of throughput do you see on average. Any real-world, real-life information will be greatly appreciated. Thank You, Jamie Jamison ZymoGenetics, Seattle ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu