Forum Discussion

anandgmenon's avatar
2 years ago

NBU 9.x / 10.x Tape storage encryption with IBM ts4500 library

Dear Team
We have NBU 9.1.0.1 master server on RHEL  with Flex5250 appliances as media server. 

We are refreshing our tape library hardware with IBM TS4500 library with ts1160 drives 

We would like to enable tape storage encryption via netbackup .

On the IBM library , we have 2 options 

1. Application managed encryption  ( AME )   . if the netbackup  generates and manages encryption policies and keys

2. Library managed encryption  (LME  ) . encryption transparent to Backup software . ie Netbackup 

Does netbackup support both methods  ?  do we have any documentation around this  ? 

does anyone have experience setting this up  ? 

 

 

  • netbackup can work with both options. The difference is who is responsible for the encryption keys.

    With the first option (Application managed encryption) you have to setup and configure the netbackup KMS option (free) in netbackup primary server and create new volume pools that start with the ENCR_ prefix.
    And you can enable or disable the encryption depending the destination pool.
    check the netbackup security and encryption manual

    With the second option (Library managed encryption) you have to setup and configure  the IBM kms server (not free).
    The tape drive(s) you configure in IBM kms server will always encrypt the data.

     

     

  • If you use NetBackup KMS .....

    How to set it up is contained in the security and encryption guide - it is pretty easy to get it working if you read through carefully.

    What you MUST do is back the keys up (it cannot be done automatically), and then test test restoring them and proving that you can still restore.
    I have seen multiple cases where this was not done and the result is you can't get your data, Veritas has no 'back door'.  The manuals cover how to do this.

    Encryption is easy, it's the key management that will spoil your day.


  • You should go for NBU KMS in my view.

    Using NBU KMS allows you to change library without being bound to the library. If using library managed encryption, you are bound to the library.

    Just think of a catastrophic disaster where library is gone. With NBU KMS you can use any LTO tape drive with the same form factor to start restoring. That is not the case with LME.

    Configuring NBU KMS is simple and straightforward. Considering how to manage the encryption phrases and keep them safe is a important part of the task.

    Best Regards
    Nicolai

     

  • I guess the final option should be a security team decision, not backup team decision.

    Regards

    M.

    • Nicolai's avatar
      Nicolai
      Moderator

      Maybe, if such a team exist. It will be a backup team problem to re-establish the backup/restore service, so they should have a saying in creating the disaster recovery plan for their area.

      Also remember to configure the KMS backup routine, and the location of those backup's should of cause not be on devices encrypted by KMS. Else you have a catch 22.