Re: [Veritas-bu] Encrypting offsite tapes
Can anyone confirm statement 1??? Is Client based free with version 6.5? Where is the reference, because our sales person is trying to get us to pay for client licenses for encryption. -Andrew Ed Wilts wrote: You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. -- Andrew Stueve andrew(dot)stueve(at)neovera.com ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
And Tim Needham provided a definitive answer! Thank you Tim! Page 12 of the Licensing and Support Services Guide states: and I quote; The Netbackup Client Encryption Option is now part of the Netbackup Standard Client and no longer licensed separately -Andrew Andrew Stueve wrote: Can anyone confirm statement 1??? Is Client based free with version 6.5? Where is the reference, because our sales person is trying to get us to pay for client licenses for encryption. -Andrew Ed Wilts wrote: You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED]wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
Don't forget hardware based encryption using LTO-4 tape drives. Netbackup 6.5.2 has key management functionality built in. To activate the hardware encryption on LTO4 using NB6.5.2 after you have created keys you just write backups to a pool prefixed with ENCR_* for instance ENCR_Offsite. Using this you could decide based on which volume pool data was written whether or not it would be encrypted. Your normal backups could be written to a normal pool and then when vault did the duplication those images could be written to a hardware encrypted pool. The same cost caveat applies here if you don't already have LTO4 as in Ed's #3:) Ed Wilts wrote: You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
If you have a library you may be able to do tape drive encryption with what you have. You just need to get it turned on (which most likely will take a license from your library manufacture - which means money- but no new equipment) Just remember that if you do this you must put HIGH priority on keeping track of you keys - so you can decrypt... you should use the same keys as your DR site so it can decrypt as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts Sent: Tuesday, November 11, 2008 11:52 AM To: Rongsheng Fang Cc: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Encrypting offsite tapes You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED] wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
my understanding of using your tape drives to perform the encryption, you must use the same type of drive to perform the decryption. i'm looking at crossroads as a encryption appliance, similar to decru. dave.. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 11, 2008 10:08 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Encrypting offsite tapes If you have a library you may be able to do tape drive encryption with what you have. You just need to get it turned on (which most likely will take a license from your library manufacture - which means money- but no new equipment) Just remember that if you do this you must put HIGH priority on keeping track of you keys - so you can decrypt... you should use the same keys as your DR site so it can decrypt as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts Sent: Tuesday, November 11, 2008 11:52 AM To: Rongsheng Fang Cc: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Encrypting offsite tapes You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED] wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
Thank you all for your replies! We do have HP LTO4 tape drives in a StorageTek SL500 and was told by Sun that the encryption could be turned on with a license fee. My next question is: once the encryption feature for a LTO4 tape drive is turned on, will all backups written to the tape by this drive be encrypted automatically? Or NetBackup can be configured to selectively encrypt backups based on the volume pools as Travis described? Thanks, Rongsheng On Nov 11, 2008, at 1:04 PM, Travis Kelley wrote: Don't forget hardware based encryption using LTO-4 tape drives. Netbackup 6.5.2 has key management functionality built in. To activate the hardware encryption on LTO4 using NB6.5.2 after you have created keys you just write backups to a pool prefixed with ENCR_* for instance ENCR_Offsite. Using this you could decide based on which volume pool data was written whether or not it would be encrypted. Your normal backups could be written to a normal pool and then when vault did the duplication those images could be written to a hardware encrypted pool. The same cost caveat applies here if you don't already have LTO4 as in Ed's #3:) Ed Wilts wrote: You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - --- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
I'm not aware of how the licensing works for the LTO4s in an SL500. I'm not sure why you'd need a license from Sun to activate this encryption since it's a built in feature of LTO4 tape drives. I wonder if they were referring to licensing key management software from them? If you use the netbackup key management, bptm sends the keys to the drive when it requests a tape be mounted if that tape is coming from and ENCR_* prefixed policy. Hence a drive use encryption for one backup (when using a tape form an ENCR_* pool) and not encrypt the next backup (when writing to a tape from a non ENCR_* pool). Obviously encrypted and non-encrypted backups will not be able to be multiplexed onto the same tape and once a tape has encyrpted data on it all further data will be encrypted (since it would now be part of an ENCR_* prefixed pool) until the tape expired. The volume pool is the key to netbackups encryption key management. Here is a good pdf describing the functionality: ftp://exftpp.symantec.com/pub/support/products/NetBackup_Enterprise_Serv er/302438.pdf I have no idea if netbackup is going to start charging for their KMS functionality in future releases. -Original Message- From: Rongsheng Fang [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2008 1:25 PM To: Kelley, Travis Cc: Ed Wilts; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Encrypting offsite tapes Thank you all for your replies! We do have HP LTO4 tape drives in a StorageTek SL500 and was told by Sun that the encryption could be turned on with a license fee. My next question is: once the encryption feature for a LTO4 tape drive is turned on, will all backups written to the tape by this drive be encrypted automatically? Or NetBackup can be configured to selectively encrypt backups based on the volume pools as Travis described? Thanks, Rongsheng On Nov 11, 2008, at 1:04 PM, Travis Kelley wrote: Don't forget hardware based encryption using LTO-4 tape drives. Netbackup 6.5.2 has key management functionality built in. To activate the hardware encryption on LTO4 using NB6.5.2 after you have created keys you just write backups to a pool prefixed with ENCR_* for instance ENCR_Offsite. Using this you could decide based on which volume pool data was written whether or not it would be encrypted. Your normal backups could be written to a normal pool and then when vault did the duplication those images could be written to a hardware encrypted pool. The same cost caveat applies here if you don't already have LTO4 as in Ed's #3:) Ed Wilts wrote: You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - --- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
My understanding is all backups to that tape drive would be encrypted. But you can set up a storage unit that has that tape drive in it. Then setup your policies to use that storage unit that would go to that tape drive. To keep your tapes straight you should also set up a volume pool where your encrypted tapes are where the normal tapes are. As you do not want to send a tape to the encrypted drive then turn around and send the tape to a normal tape drive. So you now have a policy that uses a storage unit that has an encrypted drive and a volume pool to get those tapes from. You would have other policies that use normal tape drives and get their tapes from a normal volume pool. So if you are going to have a mix, you want to make sure you keep the tapes separate so you can keep track of them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rongsheng Fang Sent: Tuesday, November 11, 2008 12:25 PM To: Travis Kelley Cc: Ed Wilts; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Encrypting offsite tapes Thank you all for your replies! We do have HP LTO4 tape drives in a StorageTek SL500 and was told by Sun that the encryption could be turned on with a license fee. My next question is: once the encryption feature for a LTO4 tape drive is turned on, will all backups written to the tape by this drive be encrypted automatically? Or NetBackup can be configured to selectively encrypt backups based on the volume pools as Travis described? Thanks, Rongsheng On Nov 11, 2008, at 1:04 PM, Travis Kelley wrote: Don't forget hardware based encryption using LTO-4 tape drives. Netbackup 6.5.2 has key management functionality built in. To activate the hardware encryption on LTO4 using NB6.5.2 after you have created keys you just write backups to a pool prefixed with ENCR_* for instance ENCR_Offsite. Using this you could decide based on which volume pool data was written whether or not it would be encrypted. Your normal backups could be written to a normal pool and then when vault did the duplication those images could be written to a hardware encrypted pool. The same cost caveat applies here if you don't already have LTO4 as in Ed's #3:) Ed Wilts wrote: You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Ed Wilts, RHCE, BCFP, BCSD, SCSP, SCSE [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - --- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
Hello Rongsheng, I think there may also be a 4th option, though potentially more expensive than an appliance solution if you don't already have the hardware- IF you have LTO4 at your primary site and you either have (or don't need) LTO4 read capability at your offsite: You could create a policy that calls on a vault profile that duplicates the tape using hardware based encryption. The caveat here is you would need to worry about EKM (Encryption Key Management) and the fact that encrypted data doesn't compress quite the same as unencrypted data. This could lead to slightly increased tape utilization. FWIW: We are not currently using LTO4. We tested software based encryption and found the system overhead and tape utilization prohibitive. We wound up with an appliance based solution that is actually quite fast, but short of getting off tape all together, I'm looking forward to LTO4. -Kent -- Message: 18 Date: Tue, 11 Nov 2008 11:52:07 -0600 From: Ed Wilts [EMAIL PROTECTED] Subject: Re: [Veritas-bu] Encrypting offsite tapes To: Rongsheng Fang [EMAIL PROTECTED] Cc: VERITAS-BU@mailman.eng.auburn.edu Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED]wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Kent Eagle MTS Infrastructure Engineer II, MCP, MCSE Tech Services / SMSS Visit our website at www.wilmingtontrust.com Investment products are not insured by the FDIC or any other governmental agency, are not deposits of or other obligations of or guaranteed by Wilmington Trust or any other bank or entity, and are subject to risks, including a possible loss of the principal amount invested. This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
hi. i believe that once the drives have been enabled to encrypt data, then they can only be used for encrypting data. i've heard that whatever lto4 vendor you use to encrypt your tapes, you must use the same vendor to decrypt your tapes. i am using hp's lto3 at home but at sungard i use ibm's lto3 with no problems. i don't think that you have that luxury when you enable encryption. years from now when your using lto5, will you be able to decrypt your archive data using tape drive encryption? i have not confirmed the above statements. i'm just starting to look into encryption myself. just something to think about. dave.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eagle, Kent Sent: Tuesday, November 11, 2008 1:52 PM To: veritas-bu@mailman.eng.auburn.edu Cc: [EMAIL PROTECTED] Subject: Re: [Veritas-bu] Encrypting offsite tapes Hello Rongsheng, I think there may also be a 4th option, though potentially more expensive than an appliance solution if you don't already have the hardware- IF you have LTO4 at your primary site and you either have (or don't need) LTO4 read capability at your offsite: You could create a policy that calls on a vault profile that duplicates the tape using hardware based encryption. The caveat here is you would need to worry about EKM (Encryption Key Management) and the fact that encrypted data doesn't compress quite the same as unencrypted data. This could lead to slightly increased tape utilization. FWIW: We are not currently using LTO4. We tested software based encryption and found the system overhead and tape utilization prohibitive. We wound up with an appliance based solution that is actually quite fast, but short of getting off tape all together, I'm looking forward to LTO4. -Kent -- Message: 18 Date: Tue, 11 Nov 2008 11:52:07 -0600 From: Ed Wilts [EMAIL PROTECTED] Subject: Re: [Veritas-bu] Encrypting offsite tapes To: Rongsheng Fang [EMAIL PROTECTED] Cc: VERITAS-BU@mailman.eng.auburn.edu Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang [EMAIL PROTECTED]wrote: We duplicate backup images from disks/tapes to tapes weekly using NetBackup vault and send the tapes offsite. We have a new requirement for encrypting all the tapes going offsite. I understand that NetBackup can do the encryption while the backup is being done. My question is: is it possible to encrypt the images during the vault process (or the duplication process of the vault)? How do you implement the encryption in your backup environments? Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 Thanks, Rongsheng .../Ed Kent Eagle MTS Infrastructure Engineer II, MCP, MCSE Tech Services / SMSS Visit our website at www.wilmingtontrust.com Investment products are not insured by the FDIC or any other governmental agency, are not deposits of or other obligations of or guaranteed by Wilmington Trust or any other bank or entity, and are subject to risks, including a possible loss of the principal amount invested. This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Encrypting offsite tapes
On Tue, Nov 11, 2008 at 8:07 PM, oersted [EMAIL PROTECTED]wrote: Decru is OK , but if you do a non-encrypted restore through it, its dog slow due to the fact they only dedicate 1/32 engine power to clear text restores. What's a non-encrypted restore? A restore from an unencrypted tape? If so, we've never seen this alleged dog slow since *all* of our tapes are encrypted. What's the point of buying encryption appliances and writing clear-text tapes? .../Ed -- Ed Wilts, Mounds View, MN, USA [EMAIL PROTECTED] If I've helped you, please make a donation to my favorite charity at http://firstgiving.com/edwilts ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu