05-17-2016 02:42 PM
I'm a little confused by the settings inside BE when it comes to hardware encryption. If you select that option, BE forces you to specify an encryption key from its own key inventory. My tape libraries/drives already have encryption keys which they manage separately/internally, so I don't quite see the point to selecting Hardware Encryption in BE and then designating a key from there.
So long as encryption is enabled on the tape devices, my understanding is that the hardware encryption will be performed regardless of the setting in BE. Would the correct settings then be to enable hardware compression (if desired) in BE and leave the encryption setting at None? Thoughts?
05-17-2016 03:36 PM
If you select that option, BE forces you to specify an encryption key from its own key inventory.
This method is called AME, Application Managed Encryption.
My tape libraries/drives already have encryption keys which they manage separately/internally
The method is called LME, Library managed Encryption.
So long as encryption is enabled on the tape devices, my understanding is that the hardware encryption will be performed regardless of the setting in BE.
Correct. A proper LME configuration should make the tape drives appear to be incapable of performing encryption to BE, in order to prevent double encrypting.
What do your tape drive properties in BE show for "supports hardware encryption"? Hopefully a "no" when using LME.
Here is a link to more info http://www.veritas.com/docs/000033524
05-18-2016 02:56 PM
They show yes for supports hardware encryption. I think I'm going to actually opt for the extra flexibility of AME versus LME.
05-19-2016 11:39 AM
What tape library are you using? IMHO, they have a poor LME implementation if the tape drives report that they support encryption.
05-19-2016 12:02 PM
It's a Spectra Logic library. LME doesn't seem that daunting but AME will be more flexible since BE can house more than one key (unlike the library) and I can easily have jobs with and without encryption without configuring new partitions (encrypted and non-encrypted) on the library.
05-19-2016 07:13 PM
I suggest to use AME as you can easily restore on different backup server and different brand of library.