Forum Discussion

zmlat's avatar
zmlat
Level 4
4 years ago

Question on NetBackup and Hardware Tape Encryption

Hello.

I recently had to supply "proof" that all backups on tape are encrypted. Since we are using HW encryption, I assumed getting that from the Tape library configuration (Quantum i6). However, that shows encryption being disabled on all drives. I then ran an "images on tape" report for a few arbitrary tapes and saw that the Encryption column was "yes" and the Encryption key" was populated. So I know that the data is encrypted. I do not have the "Ecrypt" attribute turned on, on any policies. So the question is: who is encrypting the data on tape? Quantum is telling me it has to be NB since encryption their admin console shows encryption disabled. I suspect the "disabled" may refer to the Key Management since we do not use Quantum's key management...we use NB KMS (but I did not want to argue with the engineer). When I researched this on Veritas site, I get directed to the Security and Encryption Guide, which outlines how to setup KMS. The section on Encryption options points me back to Quantum since I am using "Third-party encryption appliances and hardware devices".

Any insights on this wuld be appreciated.

  • HI zmlat 

    You are using hardware encryption directly in the tape drives. Most modern tape drives (since LTO4) support native hardware encryption. To utilise this, when writing to the tape something has to tell the drive to use this and supply an encryption key. 

    The Quantum tape library can do this independantly (an invisibly) to NetBackup - but typically you would not want to do that and as you have indicated this has been disabled on the library. Disabling the library controlled encryption does not prevent the tape drives from using their native encryption capabity.

    NetBackup when writing to tapes in an ENCR_* pool does the necessary setup and key management (interacting with the KMS system) directly to the tape drive to enable the native hardware encryption (remember NetBackup is writing directly to the tape drive, the library is only being used to position media in drives). 

    Hope that clears things up further.

    Cheers
    David

  • HI zmlat 

    If you are using NetBackup KMS encryption, then firstly you must have NetBackup KMS running (you can check that the process nbkms is running and you have a KMS database and keys files on the master server).  Listing the keys you have is accomplished by running the command "nbkmsutil -listkeys -all". For tapes, when using KMS, the tape will be encrypted using the native tape drive encryption (most modern tape drives support this feature), when writing a backup to a tape pool starting with ENCR_<pool> (where ENCR_<pool> is also a keygroup within KMS). 

    Hope this helps
    David

    • zmlat's avatar
      zmlat
      Level 4

      Thanks for the replies.

      I had actually used the article Marianne posted (option 2) to appease the auitors. Nicolai  actually have 2 backup copies of the keys :-) . I've been using KMS for years now, so I'm fairly confident the images are encrypted ( mph999 didn't think about performing that as a test). The question arose from the tape vendor (Quantum) since he's telling me "hardware encryption is disabled" in the library. I should also note, that when I do a restore, the library management GUI flags the tape as encrypted.

      I'm trying to get a better understanding of who does the encryption since I do not have "encrypt" turned on in the policies (I presume that would be "software encryption") in the event I am questions about the "encryption disabled" setting in the library for each drive. I'm thinking that NB KMS is driving the tape drive (ie., hardware) encryption and the library software is not aware.

       

      • davidmoline's avatar
        davidmoline
        Level 6

        HI zmlat 

        You are using hardware encryption directly in the tape drives. Most modern tape drives (since LTO4) support native hardware encryption. To utilise this, when writing to the tape something has to tell the drive to use this and supply an encryption key. 

        The Quantum tape library can do this independantly (an invisibly) to NetBackup - but typically you would not want to do that and as you have indicated this has been disabled on the library. Disabling the library controlled encryption does not prevent the tape drives from using their native encryption capabity.

        NetBackup when writing to tapes in an ENCR_* pool does the necessary setup and key management (interacting with the KMS system) directly to the tape drive to enable the native hardware encryption (remember NetBackup is writing directly to the tape drive, the library is only being used to position media in drives). 

        Hope that clears things up further.

        Cheers
        David

  • One option to proof that tapes are encrypted is to rotate the current KMS encryption key  to deprecated and perform a restore, that will for sure fail (status code 85). Then rotate the key back into its original state, and show restore can be performed again. This is option 3 in the tech note Marianne pointed to.

    Off Topic zmlat You should check and see if backup of KMS is enabled, and the backup destination is available when Netbackup server is a pile of ash. Just frindly advice :-)

     

  • Even easier way to test, just stop kms process and try a restore ....