Netbackup OpenStorage

Question

Hi Guys
A cuastomer wants to use a Data Domain DD530 Appliance as a VTL and deduplication option. He wants to know if NBU can encrypt and manage encryption in this appliance without the MSEO or NBU client encryption, would it be necessary to use the NBU OST option do achive this?
Thank you for your help&nbsp;

john_stockard · Accepted Answer

No, KMS is not going to work to encrypt the data in the Data Domain's virtual tape drives.&nbsp; No VTL emulates LTO-4 drives well enough to also support hardware-based encryption.

And again, putting encrypted data into a Data Domain appliance makes no sense.&nbsp; The reason to buy a Data Domain appliance in the first place is because of the data de-duplication benefits.&nbsp; If the data is encrypted before it gets into the Data Domain, all of the data de-duplication benefits are lost.&nbsp; Encrypted data is almost completely random from the Data Domain's perspective, and thus it won't be able to de-duplicate any of it.

Additionally, Data Domain appliances appear to have no facility for encrypting data at rest in their disks (based on a quick browse through their website).&nbsp; If Data Domain has added this functionality to a recent version of their OS, they certainly haven't made it publicly announced on their website.&nbsp; The customer can try asking their Data Domain sales rep about this, though.&nbsp; In any case, neither the NetBackup KMS software or the NetBackup OpenStorage API will be able to manage the encryption keys inside the Data Domain if the Data Domain has the ability to perform encryption-at-rest.

If the customer has a requirement for encrypting their backup-to-disk data, they would be better off doing one of the following:

Send their backups to&nbsp;a traditional disk array in conjunction with client-side NetBackup encryption (which is free these days with every NetBackup Standard Client license)
    Send their backups to&nbsp;a traditional disk array in conjunction with some form of SAN-based encryption appliance such as a Decru DataFort or certain models of Brocade SAN switches
    Send&nbsp;their backups to a different brand of traditional non-de-duplicating VTL that can do it's own encryption-at-rest.

Note that the NetBackup KMS software will not be able to manage the encryption keys used by a Decru DataFort or any form of VTL.&nbsp; The NetBackup OpenStorage API is also not going to be able to manage any of these encryption keys.

The NetBackup MSEO software can (in theory) provide encryption if the data is being sent to a VTL (since the MSEO software doesn't rely on hardware-based encryption in the tape drive), but the customer would encounter a performance hit on their NetBackup media servers.&nbsp; But if they do this with their Data Domain appliances, we get back to my first point -- putting encrypted data into an appliance that performs data de-duplication defeats the point of buying an appliance that does data de-duplication.

mouse · Answer

NBU can only manage its own encryption (i.e. MSEO/Client Encryption/KMS for LTO4/T10k drives).

As far as I know, hardware encryption does its job transparently to the NBU, so what kind of encryption management your customer wants from NBU?

As per 6.5.4 documentation and my personal OST&nbsp;experience, there is no any third party encryption management framework in the NBU except what I&nbsp;pointed above

john_stockard · Answer

What kind of encryption is the customer trying to do?

If they want to put encrypted data into their Data Domain appliances, they should be strongly advised against this.&nbsp; Data that is already compressed and/or encrypted is not going to de-duplicate at all, and will probably end up consuming slightly more space in the Data Domain appliances than they expect.

If the customer is talking about using encryption when replicating data between Data Domain appliances over the LAN, they have to configure this manually using the Data Domain's web-based GUI.&nbsp; NetBackup has no control or knowledge of this.

If the customer is talking about using hardware-based encryption when sending data from the Data Domain directly to tape (in other words, they're using the Data Domains as VTLs and they also have a physical tape library directly connected to the Data Domain), they have to use the encryption key management solution provided by the tape library vendor.&nbsp; The NetBackup MSEO/KMS solutions will not work in this scenario since the tape library is not connected directly to a NetBackup media server.&nbsp; I know that IBM, Quantum, and Sun each have their own key management appliances/software packages for managing the encryption keys used in their tape drives.

camus · Answer

Thank you all , what the customer wants is a funtion similiar to KMS for tapes, but for Data Domain Appliances. He is expecting that&nbsp;NBU encrypts the data in the DD Appliance. According to your opinions this cannot be done, The data can be encrypted in the DD App but without the knowledge of NBU. right ?

camus · Answer

Ok, it's now clear for me, Thank you so much for your help.

Forum Discussion

Netbackup OpenStorage

5 Replies

Related Content

Re: NetBackup Accelerator with DataDomain

Data Domain Boost for Symantec NetBackup OpenStorage

NetBackup for MySQL

Migrating backup images from one Media Server (openstorage) to a NetBackup Appliance

Re: 2 media servers using the same disk storage unit (OST)

Recent Discussions

command: bperror

MS-SharePoint policy restore error (2804) .

How to restore a backup

How to configure RBAC

10 years old netbackup appliance database service down, ssl certification out date