Information Technology Navigator

Tips, Advice & Insights from Technology Pros

Tape Encryption and Key Management Utilities

Posted by Ned Fairweather

Fri, Nov 12, 2010

There are a few different ways to encrypt backup tapes on the market today using software solutions and hardware solutions. One thing they all have in common is that they all need a key management solution to manage the encryption keys.

Some key management solutions are considered “in band” solutions such as the KMS feature of NetBackup where the Master server can manage the keys for encryption-capable tape drives. Other key management solutions are considered “out of band” key management solutions such as Q-EKM and SKM from Quantum. Both of these out of band solutions use a specific key management appliance to supply encryption keys directly to the tape drives themselves. Each of these solutions are also proprietary to the drive type they support --  Q-EKM is used for IBM drives and the SKM is used for HP drives. This can be a bit confusing and needs to be considered when adding additional sites to an existing backup configuration. For instance, if you are s set up with IBM drives using QEKM for the key management, you  are tied into the IBM drive technology  if you  want to swap tapes between the sites.

Another issue to be considered is NDMP backups as direct NDMP configurations pose a problem when using” in band” key management utilities.  (Note: by “direct NDMP backups”  I mean when a tape drive is directly connected to a filer). This poses an issue for the NetBackup Media Server Encryption Option. Since it uses a tape driver on the media server to do the encryption there is no way for it to encrypt a backup being written by the NDMP appliance. This also poses an issue for the KMS “in band” key management feature as it has no way to request a key from the Master server when the drive is directly attached to the filer. For an environment with many large filers, “out of band” key management utilities will allow you to keep the direct NDMP backup architecture in place with its high performance tape writes.  An “in band” key management utility might require a swap to a remote NDMP architecture where the data will first travel over the network to a backup server before it gets written to tape. This will be a significant degradation in performance, and that won’t be acceptable to the end user.

To summarize, keep in mind the key management utility in use and match it when adding new tape drives or libraries to an existing configuration. Keep in mind that NDMP direct attached backups might need a different key management utility and  that the best way to preserve the direct attached architecture is to use an “out of band” key management appliance.