cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Selecting a key for hardware encryption?

TKHC
Level 2

‎05-17-2016 02:42 PM

I'm a little confused by the settings inside BE when it comes to hardware encryption. If you select that option, BE forces you to specify an encryption key from its own key inventory. My tape libraries/drives already have encryption keys which they manage separately/internally, so I don't quite see the point to selecting Hardware Encryption in BE and then designating a key from there.

So long as encryption is enabled on the tape devices, my understanding is that the hardware encryption will be performed regardless of the setting in BE. Would the correct settings then be to enable hardware compression (if desired) in BE and leave the encryption setting at None? Thoughts?

0 Kudos
5 REPLIES 5

Larry_Fine
Moderator
Moderator
   VIP   

‎05-17-2016 03:36 PM

If you select that option, BE forces you to specify an encryption key from its own key inventory.

This method is called AME, Application Managed Encryption.

My tape libraries/drives already have encryption keys which they manage separately/internally

The method is called LME, Library managed Encryption.

So long as encryption is enabled on the tape devices, my understanding is that the hardware encryption will be performed regardless of the setting in BE.

Correct.  A proper LME configuration should make the tape drives appear to be incapable of performing encryption to BE, in order to prevent double encrypting.

What do your tape drive properties in BE show for "supports hardware encryption"?  Hopefully a "no" when using LME.

Here is a link to more info http://www.veritas.com/docs/000033524

 

0 Kudos

TKHC
Level 2

‎05-18-2016 02:56 PM

They show yes for supports hardware encryption. I think I'm going to actually opt for the extra flexibility of AME versus LME.

0 Kudos

Larry_Fine
Moderator
Moderator
   VIP   

‎05-19-2016 11:39 AM

What tape library are you using?  IMHO, they have a poor LME implementation if the tape drives report that they support encryption.

0 Kudos

TKHC
Level 2

‎05-19-2016 12:02 PM

It's a Spectra Logic library. LME doesn't seem that daunting but AME will be more flexible since BE can house more than one key (unlike the library) and I can easily have jobs with and without encryption without configuring new partitions (encrypted and non-encrypted) on the library.

0 Kudos

kf2013
Moderator
Moderator
   VIP   

‎05-19-2016 07:13 PM

I suggest to use AME as you can easily restore on different backup server and different brand of library.

0 Kudos