Subscribe by Email

Your email:

Most Popular Posts

Browse by Tag

Posts by Month

Information Technology Navigator - Tips, Advice & Insights from Technology Pros

Current Articles | RSS Feed RSS Feed

Tape Encryption and Key Management Utilities

Posted by Blog Administrator on Fri, Nov 12, 2010 @ 04:40 PM
  
  
  
  
Add to delicious  delicious  
  

Author: Brenden Doyle, Senior Consultant

There are a few different ways to encrypt backup tapes on the market today using software solutions and hardware solutions. One thing they all have in common is that they all need a key management solution to manage the encryption keys.

Some key management solutions are considered “in band” solutions such as the KMS feature of NetBackup where the Master server can manage the keys for encryption-capable tape drives. Other key management solutions are considered “out of band” key management solutions such as Q-EKM and SKM from Quantum. Both of these out of band solutions use a specific key management appliance to supply encryption keys directly to the tape drives themselves. Each of these solutions are also proprietary to the drive type they support --  Q-EKM is used for IBM drives and the SKM is used for HP drives. This can be a bit confusing and needs to be considered when adding additional sites to an existing backup configuration. For instance, if you are s set up with IBM drives using QEKM for the key management, you  are tied into the IBM drive technology  if you  want to swap tapes between the sites.

Another issue to be considered is NDMP backups as direct NDMP configurations pose a problem when using” in band” key management utilities.  (Note: by “direct NDMP backups”  I mean when a tape drive is directly connected to a filer). This poses an issue for the NetBackup Media Server Encryption Option. Since it uses a tape driver on the media server to do the encryption there is no way for it to encrypt a backup being written by the NDMP appliance. This also poses an issue for the KMS “in band” key management feature as it has no way to request a key from the Master server when the drive is directly attached to the filer. For an environment with many large filers, “out of band” key management utilities will allow you to keep the direct NDMP backup architecture in place with its high performance tape writes.  An “in band” key management utility might require a swap to a remote NDMP architecture where the data will first travel over the network to a backup server before it gets written to tape. This will be a significant degradation in performance, and that won’t be acceptable to the end user.

To summarize, keep in mind the key management utility in use and match it when adding new tape drives or libraries to an existing configuration. Keep in mind that NDMP direct attached backups might need a different key management utility and  that the best way to preserve the direct attached architecture is to use an “out of band” key management appliance.

Tags: , ,

Comments

A minor correction to Brendan's article here. While the article is correct about the Media Server Encryption Option it is wrong in respect of NetBackup's integrated KMS for SCSI T10 spec drives. KMS does work with local NDMP. The drives receive the commands to use encryption and the key from the NBU media server (which gets the key from the master). When tape drives are connected directly to a filer, NBU sends SCSI commands and the key via NDMP to the filer, which then passes them (referred to as SCSI pass-thru) to the tape drive. As long as the filer supports SSO (indicated on the NetBackup compatibility lists), this is not an issue either.
Posted @ Friday, June 24, 2011 2:12 AM by Alex Davies
Thanks for the additional clarification.
Posted @ Friday, June 24, 2011 9:32 AM by Blog Administrator
New Era Hats and caps are indispensible for those fashion followers  
 
New Era Fitted Cap . No matter allocate with any type of garments, you may  
 
 
 
look unique New Era Baseball Hats with a New Era hat on only if you are  
 
 
 
bold to try. Such as limited wholesale new era hats editions of ” ROSEWOOD” and ” POST” series New Era  
 
 
 
hats, these has new era caps been in hot demand and got the unanimous praise. nfl hats often cooperate  
 
Cheap New Era Hats with other brands to launch products of unique styles, let us view the following New Era Baseball Cap iterms.Head Porter, a branch of Japan’s current luggage brand Head Porter Plus worked Cheap New Era Caps with  
 
 
 
New Era – the well-known U.S. brand cap to launch a kind of Work Cap. The new type  
 
New Era Hats For Sale of Work Cap is designed with a flat crown. On the left  
 
 
 
side of the hat can see the logo New Era 59Fifty Hats of New Era. It is  
 
 
 
simple and comfortable with three kinds of colors, including black, grey  
 
New Era 5950 Cap and purple, for selecting. “Keep Watch” has been a classic series  
 
 
 
of New Era. With the playoffs New Era Online approaching, the streets of  
 
 
 
New York brand Mishka once again collaborated with New Era playoff version  
 
New Era Caps Cheap “Keep Watch” Cap. This post season edition of Keep Watch, used daring and exagerted big eyeball as designing new era hats focus just like before. Also it was created by joining a true basketball skin, it made the subject of this one  
 
New Era Hats Online -eyed cap much clearer, the friends  
 
 
 
who like it deserve more attention. Cheap New Era Hats  
 
Wholesale New Era Caps  
 
Buy New Era Hats  
 
New Era Sale  
 
<a href="http://www.newerahatsbuy.com/san-diego-padres-hats5攸??
Posted @ Saturday, July 30, 2011 3:43 AM by sdfds
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics