Forum Discussion

TapeDude's avatar
TapeDude
Level 3
6 years ago

Duplicating a hardware encrypted tape to an unencrypted tape

I have an LTO5 tape that has been backed up with hardware encryption. It has a variety of different types of backup sessions (flat files, MS SQL servers, MS Exchange) and I've been given the passphrase, so I've re-created the key and can pull off the flat files without any issue. The client has asked me to create an unencrypted version of the tape (they wish to use various 3rd party tools to extract the SQL and MS Exchange backups), and I've tried doing this with the duplication function, but I can't get it to work.

I have a second tape drive in which I've mounted a freshly erased and labelled LTO5. When I try duplicating the original sessions from the encrypted tape onto it, I'm given the option of types of encryption (I chose none) but BE is switching on hardware encryption on the target drive anyway. This is regardless of whether I use DirectCopy, or choose to actually have encryption (which then gives me the option of choosing which key to use).

Any ideas? Is there some option or other hidden deep in the bowels of BE that's telling it to encrypt everything it writes to tape by default?

  • You should be able to run a "duplicate job" for each backup set on the tape that you wish to replicate.  There is not a "single button" solution, that I know of, to replicate a whole tape with a bunch of different backup sets on it.  In the "Duplicate Job" options, you can specify what encryption you want, including "none".

    Yes, there is a default option for "backup to tape" jobs, along with default options for all the other job types.  But that just sets a default, not a rule, so when you create each new job you can override the default.

    Is your source a physical LTO5 tape cartridge?  If you don't have an appropriate VTL, then the "enable DirectCopy to tape" option has no effect and the job log should say "disabled".

    Is your job log for the duplication job showing that encryption is happening?  or how are you determining the destination tape is getting encrypted?

     

    Job Operation - Duplicate
    Backup Options
    Media operation - Append to media, overwrite if no appendable media is available.
    
    Compression Type: Hardware [if available, otherwise none]
    
    Encryption Type: None
    
    DirectCopy to tape: Disabled
    • TapeDude's avatar
      TapeDude
      Level 3

      Thanks for the reply.

      Yes, I'm copying from a physical LTO5, and writing out to a physical LTO5 drive/tape.

      But the dialog box I get doesn't automatically disable the DirectCopy option. It allows me to tick it or not tick it:

       

      BE does allow me to select multiple backup sets to duplicate to tape, but even when I try to do them one at a time it's still encrypting them. I know this because i) the output drive's blue "encryption" light comes on, and ii) because when I try to read the tape with other tools the drive returns an error as soon as it hits the first encrypted area (incidentally, if anyone knows a straightforward way to find the raw 32 byte (256-bit AES) encryption keys generated by BE from a passphrase, that would allow me to use other tools to duplicate the tape).

      When I try to duplicate the sessions to disk file(s), and then look at the properties for those backup sessions, they're marked as "encrypted" too.

      • TapeDude's avatar
        TapeDude
        Level 3

        Oh! And before anyone suggests the "export database keys" function, that just exports the encryption keys used to encrypt the database, not the keys stored in the database used for backup/restore!