Forum Discussion

zmlat's avatar
zmlat
Level 4
4 years ago

Question on NetBackup and Hardware Tape Encryption

Hello. I recently had to supply "proof" that all backups on tape are encrypted. Since we are using HW encryption, I assumed getting that from the Tape library configuration (Quantum i6). However, th...
8.1.2
Encryption
Linux
  • davidmoline's avatar
    davidmoline
    4 years ago

    HI zmlat 

    You are using hardware encryption directly in the tape drives. Most modern tape drives (since LTO4) support native hardware encryption. To utilise this, when writing to the tape something has to tell the drive to use this and supply an encryption key. 

    The Quantum tape library can do this independantly (an invisibly) to NetBackup - but typically you would not want to do that and as you have indicated this has been disabled on the library. Disabling the library controlled encryption does not prevent the tape drives from using their native encryption capabity.

    NetBackup when writing to tapes in an ENCR_* pool does the necessary setup and key management (interacting with the KMS system) directly to the tape drive to enable the native hardware encryption (remember NetBackup is writing directly to the tape drive, the library is only being used to position media in drives). 

    Hope that clears things up further.

    Cheers
    David

davidmoline's avatar
davidmoline
Level 6

HI zmlat 

If you are using NetBackup KMS encryption, then firstly you must have NetBackup KMS running (you can check that the process nbkms is running and you have a KMS database and keys files on the master server).  Listing the keys you have is accomplished by running the command "nbkmsutil -listkeys -all". For tapes, when using KMS, the tape will be encrypted using the native tape drive encryption (most modern tape drives support this feature), when writing a backup to a tape pool starting with ENCR_<pool> (where ENCR_<pool> is also a keygroup within KMS). 

Hope this helps
David

zmlat's avatar
zmlat
Level 4
4 years ago

Thanks for the replies.

I had actually used the article Marianne posted (option 2) to appease the auitors. Nicolai  actually have 2 backup copies of the keys :-) . I've been using KMS for years now, so I'm fairly confident the images are encrypted ( mph999 didn't think about performing that as a test). The question arose from the tape vendor (Quantum) since he's telling me "hardware encryption is disabled" in the library. I should also note, that when I do a restore, the library management GUI flags the tape as encrypted.

I'm trying to get a better understanding of who does the encryption since I do not have "encrypt" turned on in the policies (I presume that would be "software encryption") in the event I am questions about the "encryption disabled" setting in the library for each drive. I'm thinking that NB KMS is driving the tape drive (ie., hardware) encryption and the library software is not aware.

 

  • davidmoline's avatar
    davidmoline
    Level 6
    4 years ago

    HI zmlat 

    You are using hardware encryption directly in the tape drives. Most modern tape drives (since LTO4) support native hardware encryption. To utilise this, when writing to the tape something has to tell the drive to use this and supply an encryption key. 

    The Quantum tape library can do this independantly (an invisibly) to NetBackup - but typically you would not want to do that and as you have indicated this has been disabled on the library. Disabling the library controlled encryption does not prevent the tape drives from using their native encryption capabity.

    NetBackup when writing to tapes in an ENCR_* pool does the necessary setup and key management (interacting with the KMS system) directly to the tape drive to enable the native hardware encryption (remember NetBackup is writing directly to the tape drive, the library is only being used to position media in drives). 

    Hope that clears things up further.

    Cheers
    David

    • zmlat's avatar
      zmlat
      Level 4
      4 years ago

      Thanks!

      Thats what I was looking for.