Question on NetBackup and Hardware Tape Encryption
Hello.
I recently had to supply "proof" that all backups on tape are encrypted. Since we are using HW encryption, I assumed getting that from the Tape library configuration (Quantum i6). However, that shows encryption being disabled on all drives. I then ran an "images on tape" report for a few arbitrary tapes and saw that the Encryption column was "yes" and the Encryption key" was populated. So I know that the data is encrypted. I do not have the "Ecrypt" attribute turned on, on any policies. So the question is: who is encrypting the data on tape? Quantum is telling me it has to be NB since encryption their admin console shows encryption disabled. I suspect the "disabled" may refer to the Key Management since we do not use Quantum's key management...we use NB KMS (but I did not want to argue with the engineer). When I researched this on Veritas site, I get directed to the Security and Encryption Guide, which outlines how to setup KMS. The section on Encryption options points me back to Quantum since I am using "Third-party encryption appliances and hardware devices".
Any insights on this wuld be appreciated.
HI zmlat
You are using hardware encryption directly in the tape drives. Most modern tape drives (since LTO4) support native hardware encryption. To utilise this, when writing to the tape something has to tell the drive to use this and supply an encryption key.
The Quantum tape library can do this independantly (an invisibly) to NetBackup - but typically you would not want to do that and as you have indicated this has been disabled on the library. Disabling the library controlled encryption does not prevent the tape drives from using their native encryption capabity.
NetBackup when writing to tapes in an ENCR_* pool does the necessary setup and key management (interacting with the KMS system) directly to the tape drive to enable the native hardware encryption (remember NetBackup is writing directly to the tape drive, the library is only being used to position media in drives).
Hope that clears things up further.
Cheers
David