Netbackup OpenStorage
Hi Guys
A cuastomer wants to use a Data Domain DD530 Appliance as a VTL and deduplication option. He wants to know if NBU can encrypt and manage encryption in this appliance without the MSEO or NBU...
- No, KMS is not going to work to encrypt the data in the Data Domain's virtual tape drives. No VTL emulates LTO-4 drives well enough to also support hardware-based encryption.
And again, putting encrypted data into a Data Domain appliance makes no sense. The reason to buy a Data Domain appliance in the first place is because of the data de-duplication benefits. If the data is encrypted before it gets into the Data Domain, all of the data de-duplication benefits are lost. Encrypted data is almost completely random from the Data Domain's perspective, and thus it won't be able to de-duplicate any of it.
Additionally, Data Domain appliances appear to have no facility for encrypting data at rest in their disks (based on a quick browse through their website). If Data Domain has added this functionality to a recent version of their OS, they certainly haven't made it publicly announced on their website. The customer can try asking their Data Domain sales rep about this, though. In any case, neither the NetBackup KMS software or the NetBackup OpenStorage API will be able to manage the encryption keys inside the Data Domain if the Data Domain has the ability to perform encryption-at-rest.
If the customer has a requirement for encrypting their backup-to-disk data, they would be better off doing one of the following:
- Send their backups to a traditional disk array in conjunction with client-side NetBackup encryption (which is free these days with every NetBackup Standard Client license)
- Send their backups to a traditional disk array in conjunction with some form of SAN-based encryption appliance such as a Decru DataFort or certain models of Brocade SAN switches
- Send their backups to a different brand of traditional non-de-duplicating VTL that can do it's own encryption-at-rest.
Note that the NetBackup KMS software will not be able to manage the encryption keys used by a Decru DataFort or any form of VTL. The NetBackup OpenStorage API is also not going to be able to manage any of these encryption keys.
The NetBackup MSEO software can (in theory) provide encryption if the data is being sent to a VTL (since the MSEO software doesn't rely on hardware-based encryption in the tape drive), but the customer would encounter a performance hit on their NetBackup media servers. But if they do this with their Data Domain appliances, we get back to my first point -- putting encrypted data into an appliance that performs data de-duplication defeats the point of buying an appliance that does data de-duplication.
