Forum Discussion

Michal_Mikulik1's avatar
3 years ago
Solved

switching HW encryption on/off when tapes are partially full

Hello,

just to want to know if somebody has the same experience (it is about HP library LTO7 HW encryption, but it probably does not matter):

- when you switch HW encryption from on to off , Active/Full media with encrypted images cannot be read/written, ending with "error reading header block" and set to Frozen state. Thats expected.

- when you switch it from off to on, partially full (=Active, and HW unencrypted) tapes cannot serve for writing additional images. A new job writing attempt is ending with " could not write tape mark to begin new image" and tape set to Frozen, too. That was a bit unexpected to me, since I thought that tape can start with unencrypted images and go on with encrypted images from some point. But it seems encr is on tape level and not image level.

Does somebody have any comments to this topic?

regards

Michal

  • StefanosM's avatar
    StefanosM
    3 years ago
    Then the answer is simple.
    You need new or free tapes (all backups on the tape are expired)
  • I assume that you use HP KMS and not netbackup KMS

    The encryption is hardware encryption and the encryption hardware is part of tape drive. So the encryption is at tape level. You can not switch encryption on and off and appending backups on the same tape. You have to split your tapes to encrypted and unencrypted.

    I don not see the reason to write both encrypted and unencrypted backup to a tape. if you really need this, the only option you have is to use software encryption, which will slow down your backups and it is not recommended.

    In fact I do not see the reason to do unencrypted backups.

  • All what Stefanos said ...

    I would say this make sense.

    - when you switch HW encryption from on to off , Active/Full media with encrypted images cannot be read/written, ending with "error reading header block" and set to Frozen state.

    Netbackup cannot read the encrypted backup images header, nor can it retrieve the encryption key because the key is controlled by the library. If you want encryption granularity on tape volume group, you need to switch to NBU KMS. NBU KMS works great and is easy to configure - just remember to save the encryption key in a safe place.

    /Nicolai

    • Michal_Mikulik1's avatar
      Michal_Mikulik1
      Moderator

      Hello,

      thanks for answers. My intention is not to mix both unencrypted and encrypted backups on tapes, the question was targeting a situation where you implement HW encryption on a system which has been already running as unencrypted for some time.

      Regards

      M.

      • StefanosM's avatar
        StefanosM
        Level 6
        Then the answer is simple.
        You need new or free tapes (all backups on the tape are expired)