Forum Discussion

TravisJ's avatar
TravisJ
Level 2
16 years ago
Solved

LTO 4 Encryption question

Hi all,

I am at a client site (NetBackup implementation guy here) and they brought up a question of the encryption of LTO 4 drives.  Here is the situation:

They currently backup their data via SDLT and they have a partner company they back up as well using DLT7000.  They are both in the same library and all is working ok.  I am here to give suggestions of hardware upgrades.  I would like to put in LTO 4 drives and use the built in hardware encryption and NetBackup KMS.  These will be split in the new library virtually so they are each their own environements and completely seperate.

The question they have is if they setup encryption on the partners backup and then they seperate ways, will the need to transfer the encryption over to the other client.  Will that risk their data, will they be able to set the keys to something new?

I have only installed this solution in envrionments where it was all or nothing.

Thanks in advance, let me know what other data is needed to answer this question. 


Travis
  • Just separate main/partner company backups to different volume pools

    you have to associate key group with each volume pool.

    this will prevent mixture of encryption keys/backups from different sources

    have a look to Veritas NetBackup 6.5.2 Documentation Updates
    ftp://exftpp.symantec.com/pub/support/products/NetBackup_Enterprise_Server/302438.pdf
    refer to chapter 5, pages 143 through 186,
  • Just separate main/partner company backups to different volume pools

    you have to associate key group with each volume pool.

    this will prevent mixture of encryption keys/backups from different sources

    have a look to Veritas NetBackup 6.5.2 Documentation Updates
    ftp://exftpp.symantec.com/pub/support/products/NetBackup_Enterprise_Server/302438.pdf
    refer to chapter 5, pages 143 through 186,
  • Keep in mind that the free KMS included in NBU 6.5.2 (and higher) is limited to two key groups and a maximum of ten encryption keys per key group.

    In other words, you can only create two volume pools that use LTO-4 hardware-based encryption, and each volume pool can only has a maximum of ten encryption keys.  Each pool can have one "active" key (which is the key used to encrypt backups).  The other keys in the pool would be in various other states such as "prelive", "inactive", "deprecated", and "terminated".

    If you need more than two volume pools that use LTO-4 hardware-based encryption, or more than ten encryption keys per pool, you can purchase the Key Management Server component that is used by the NetBackup Media Server Encryption Option (MSEO).
  • Thanks for the comments!  I kind of assumed that this was the case, but wanted to check with people that had already used it to make sure!