Forum Discussion

Alex_Zn's avatar
Alex_Zn
Level 6
13 years ago
Solved

Hardware encryption

I need to setup hardware encryption on msl2024, in HP document i see the procedure of creation key tokens, and all key management are performed through library. But in BE admin guide i see that it possible to setup key management through Backup Exec.

1. What steps do i need to correctly setup encryption ?

2. If i will enable encryption on Library do i need some workaround on BE server ?

 

2010
Backing Up
Backup and Recovery
Backup Exec
Restore
  • teiva-boy's avatar
    teiva-boy
    13 years ago

    If it's a supported tape unit with encryption, you can setup the keys within BackupExec, and it will toggle the encryption key upon writing data, and pass the key to it for the encryption engine.

    Alternatively, you do not have to use BackupExec at all.  You can enter the key in the library console and do all key management that way.  This way is almost fool proof, though more cumbersome.

    The BackupExec method is easier to manage, but again, it has to be a tested and supported library, which most HP MSL units are...

     

  • pkh's avatar
    pkh
    Moderator
    13 years ago

    1) check that your tape drive supports hardware encryption. LTO4 and LTO5 does, but not LTO3 and below.

    2) go to Tools --> Options ---> Network and Security to setup your encryption keys.  Make sure that you remember your passphrase.  Once the data is encrypted, you cannot decrypt the data without the passphrase and there is no way to retrieve a lost passphrase.

    3) In your job properties, under Network and Security, select the encryption key to use to encrypt the data and specify hardware encryption.

  • teiva-boy's avatar
    teiva-boy
    Level 6
    13 years ago

    If it's a supported tape unit with encryption, you can setup the keys within BackupExec, and it will toggle the encryption key upon writing data, and pass the key to it for the encryption engine.

    Alternatively, you do not have to use BackupExec at all.  You can enter the key in the library console and do all key management that way.  This way is almost fool proof, though more cumbersome.

    The BackupExec method is easier to manage, but again, it has to be a tested and supported library, which most HP MSL units are...

     

  • Alex_Zn's avatar
    Alex_Zn
    Level 6
    13 years ago

    Do i need constantly keep attached key token to perform backup/restore opperations ? Or i need it just for restore ?

    In vendor documentation i see that a keys need for read but not for write.

  • pkh's avatar
    pkh
    Moderator
    13 years ago

    When you use the library's key management function, you are responsible for decrypting the tape before the data is passed to BE.  BE will not know that the tape is encrypted.  When you use the encrypted tape on another tape drive/library, that device must be capable to decrypting the tape before it can be used by BE.

    If you use the BE encryption feature and you use the encrypted tape on another tape drive/library or another media server, you would be prompted for the BE encryption pass phrase if it is not present.