cancel
Showing results for 
Search instead for 
Did you mean: 

Client, MSEO and TL encryption

gopi_enovate
Level 4

Hi,

NBU version ; 7.6.1
    We are using client encryption for most of our servers.

I am aware that client encryption enabled in the policy consumes more CPU space in the client and takes a long time for completion of backup.

per https://www-secure.symantec.com/connect/forums/encryption-key-check

 

5TB file server is backed up using client encryption to pure disk dedupe.
As expected,

With encryption in policy enabled,
7/27/2015 5:10:23 AM - Info ebu-f15.hq.local(pid=3512) StorageServer=PureDisk:ebu-f14.hq.local; Report=PDDO Stats for (ebu-f15.hq.local): scanned: 5954499632 KB, CR sent: 5953568857 KB, CR sent over FC: 0 KB, dedup: 0.0%, cache hits: 0 (0.0%)7/27/2015 5:10:33 AM - Info bpbkar32(pid=7712) bpbkar waited 2844 times for empty buffer, delayed 170637 times.

Without encryption in policy disabled,
7/19/2015 7:40:24 AM - Info ebu-f15.hq.local(pid=16320) StorageServer=PureDisk:ebu-f14.hq.local; Report=PDDO Stats (multi-threaded stream used) for (pfg-bu4.pfg-hq.local): scanned: 5596394508 KB, CR sent: 30214477 KB, CR sent over FC: 0 KB, dedup: 99.5%, cache hits: 1636389 (3.4%), rebased: 97060 (0.2%)
7/19/2015 7:40:30 AM - end writing; write time: 31:35:18

Dedupe is difference value is large with and without encryption enabled.

Moreover, each LTO6 tape (Hardware compression is enabled) consumed around 3.9TB for data without encryption. Only 2.4TB is consumed per tape with encryption enabled. Believe, hardware compression doesnt work well with encrypted data.


Believe if MSEO is enabled, amount of storage consumed by tape wont change much. However, puredisk dedupe may work as expected.
 

Which is the best way of using encryption? We dont have requirement of encrypting data before the tapes leave datacenter.
Is TL encryption the best way to save space. Believe, it starts to encrypt the data after compressing it.

 
1 ACCEPTED SOLUTION

Accepted Solutions

sdo
Moderator
Moderator
Partner    VIP    Certified

Your statements marked Sn), and my replies marked Rn)...

S1) Per our reply, neither MSDP encryption nor Netbackup KMS wont work with hardware encryption in the tape unit.

R1) Apologies, but it's not easy to understand this statement.  MSDP and KMS encrypt at rest, i.e. they encrypt as they write, and decrypt as they read - usually any data entering or leaving either MSDP or KMS is not already compressed, nor already encrypted.  NetBackup KMS does enable/leverage SCSI T10 extentions which facilitate encryption/decryption at the tape write/read head (i.e. at the little bit of magnetic material which touches the physical tape).

.

S2) Believe, Netbackup will initiate the encryption in the tape drive in Netbackup KMS as well. But, does Netbackup take care of compression of data before encrypting it.

R2) With NetBackup MSDP, it usually defaults to compressing data at rest (but you can disable this if you really want to), but does not usually default to encryption at rest (but you can enable this if you want to).  LTO4/5/6 will usually always compress at the tape head (and it would be difficult to disable this), and usually do not encrypt at the tape head (but you can leverage SCSI T10 encrption by using NetBackup KMS).  This is why backup admins usually only use client side compression or client side encryption when they really really have to - but also take in to consideration the performance and capacity impact of doing so.

.

S3) With Netbackup managing the key to encrypt and decrypt data, can the data be restored from different vendor tape units.

R3) Yes, this is usually 99.99% true.  If the tape drive is LTO4/5/6 then it is highly likely that all tape drives from all vendors (of LTO4/5/6) support SCSI T10 operations - i.e. you should be able to read/write any LTO4 media on any LTO4 drive, and any LTO5 media on any LTO5 drives, and any LTO6 media on any LTO6 drive.  Also, each LTO generation will read/write its own generation, and read/write one generation prior, and read (not write) two generations prior.  Media from three or more generations prior canot be read or written.  However, always perform a detailed check of the vendor documentation.

.

You cannot mix encryption.  i.e. if you encrypt a tape using MSEO or robotic encrypt (e.g. HP encryption dongle) then you cannot use NetBackup KMS to decrypt it.

View solution in original post

6 REPLIES 6

sdo
Moderator
Moderator
Partner    VIP    Certified

Client side encryption really is only required if your customer has deep concerns around packet sniffing on networks.

The first thing to remember, is that anyone with admin privs on any computer of any type (Windows, Linux, Unix, OpenVMS) on any network... can always, always, sniff *all* (and I do mean all) broadcast traffic within any subnet on any NIC that they are connected to.  Sounds scary, huh?

Let's also remember that NetBackup Client backup traffic is point to point and, AFAIK, very little about NetBackup is 'broadcast' based - i.e. all NetBackup Client data traffic is routed by LAN switches from MAC address to MAC address, i.e. from LAN switch port (client side) to LAN switch port (media server/storage side).

So, how would one go about sniffing NetBackup Client backup data traffic... well, you'd need admin access to LAN switches - or you need physical access to the wires/cables to drop a tap on to the network cabling.

Or - for your point-to-point between cities/sites/buildings/offices you do not have your own crypto devices at each end - and so you cannot trust the physical network - then... yes, implement client side encryption.

.

If none of the above is an actual genuine concern - then most sites opt for encryption at rest - i.e. encrypt within disk pools - either advanced disk, or MSDP can easily do encryption at rest - and so can LTO4/5/6 as it is very easy in NetBackup KMS.

.

If you can't trust your MAN or WAN (Metropolitan Area Network / Wide Area Network) carrier, and you have NetBackup MSDP at 'sites' and are using AIR to replicate from site to site, then you could use MSDP optdup_encryption, and therefore possibly no need for client side encryption - because the MSDP traffic would be encrypted... by MSDP.

.

My advice... before considering any technical and/or performance aspects... perhaps ask around at your business/site/customer, and try to find out why use of client side encryption is so wide spread.  Why was the decision made?  What was the justification?  Who championed the push for CE?  Have the original concerns evaporated?  Find out why client enryption is in place, otherwise you might just end up fighting (what you think is just a technical battle - but is in fact a cultural battle) that you can never win.

sdo
Moderator
Moderator
Partner    VIP    Certified

If you encrypt clide side, then any data at rest cannot be compressed.  MSDP by default attempts to compress, as does LTO1/2/3/4/5/6.  So, if you have wide spread use of client side encryption, you will most likely not be achieving any de-dupe within MSDP or any other OST vendor - in which case why even bother with MSDP or OST, and just use Advanced Disk or plain disk instead which would most likely be notably  faster.  Also, clide side encryption will mean that you will very likely be using more tape than most other customers experience.

gopi_enovate
Level 4

Thanks for the detailed reply Martin.

The requirement of client is not to send non encrypted data outside the datacenter. No client is being backedup from a different datacenter which makes client side encryption void.

 

We would like to either use MSDP or KMS. MSDP does dedupe, will it allow compression in the tape with the encrypted data.

KMS does encrypt the data from media server before writing to tape. Assuming the compression ratio of tape library is high for non encrypted data. How will it work for encrypted data from MSDP or KMS.

 

sdo
Moderator
Moderator
Partner    VIP    Certified

Hi Gopi - if you take the following 'A' actions:

A1) Disable client side encryption

A2) Enable MSDP encryption at rest

A3) Enable NetBackup KMS

...then the following 'R' results will happen:

R1) Backup data sent from client to media server/storage server will not be encrypted (nor will it be compressed).

R2) At the media server, as and when the non-encrypted backup data is received from the client, then MSDP will first finger-print match for de-duplication, and then compress (in RAM), and then encrypt (in RAM) just before it writes to disk within MSDP - therefore backup data is encrypted at rest.  This point of encryption at rest does not use NetBackup KMS.  What happens is that MSDP will have created its own internal encryption keys which cannot be manipulated, changed, vieiwed by backup admins.

R3) When the backup data is duplicated to tape by the media server, MSDP will read encrypted data from MSDP disk, decrypt it, decompress it, and then write plain full-fat backup data down to the LTO4/5/6 tape drive.

R4) At the LTO4/5/6 tape drive, the tape drive head itself will then re-compress (in RAM within the tape drive) and then re-encrypt (within RAM inside the tape drive) just before the backup data is written to tape.

R5) The result is that backup data is neither compressed nor encrypted 'in flight' (from client to server, server to tape) i.e. backup data is plain when travelling across the LAN or SAN or SAS or SCSI bus... but instead backup data is always compressed and then encrypted before landing at rest upon a storage medium (i.e. MSDP disk, or LTO4/5/6 tape).

R6) The overall result is, best use of MSDP disk capacity, and best use of tape capacity.  Failed disks from MSDP media srvers (or appliances) can be safely recycled with hardware vendor/support because they contain encrypted backup data which cannot be scavenged.  Tapes can be safely stored off-site because they contain encrypted data which cannot be read by anyone else who does not have the NetBackup KMS encryption keys.

HTH.

gopi_enovate
Level 4

Thanks!
Per our reply, neither MSDP encryption nor Netbackup KMS wont work with hardware encryption in the tape unit.

Believe, Netbackup will initiate the encryption in the tape drive in Netbackup KMS as well. But, does Netbackup take care of compression of data before encrypting it.

With Netbackup managing the key to encrypt and decrypt data, can the data be restored from different vendor tape units.

sdo
Moderator
Moderator
Partner    VIP    Certified

Your statements marked Sn), and my replies marked Rn)...

S1) Per our reply, neither MSDP encryption nor Netbackup KMS wont work with hardware encryption in the tape unit.

R1) Apologies, but it's not easy to understand this statement.  MSDP and KMS encrypt at rest, i.e. they encrypt as they write, and decrypt as they read - usually any data entering or leaving either MSDP or KMS is not already compressed, nor already encrypted.  NetBackup KMS does enable/leverage SCSI T10 extentions which facilitate encryption/decryption at the tape write/read head (i.e. at the little bit of magnetic material which touches the physical tape).

.

S2) Believe, Netbackup will initiate the encryption in the tape drive in Netbackup KMS as well. But, does Netbackup take care of compression of data before encrypting it.

R2) With NetBackup MSDP, it usually defaults to compressing data at rest (but you can disable this if you really want to), but does not usually default to encryption at rest (but you can enable this if you want to).  LTO4/5/6 will usually always compress at the tape head (and it would be difficult to disable this), and usually do not encrypt at the tape head (but you can leverage SCSI T10 encrption by using NetBackup KMS).  This is why backup admins usually only use client side compression or client side encryption when they really really have to - but also take in to consideration the performance and capacity impact of doing so.

.

S3) With Netbackup managing the key to encrypt and decrypt data, can the data be restored from different vendor tape units.

R3) Yes, this is usually 99.99% true.  If the tape drive is LTO4/5/6 then it is highly likely that all tape drives from all vendors (of LTO4/5/6) support SCSI T10 operations - i.e. you should be able to read/write any LTO4 media on any LTO4 drive, and any LTO5 media on any LTO5 drives, and any LTO6 media on any LTO6 drive.  Also, each LTO generation will read/write its own generation, and read/write one generation prior, and read (not write) two generations prior.  Media from three or more generations prior canot be read or written.  However, always perform a detailed check of the vendor documentation.

.

You cannot mix encryption.  i.e. if you encrypt a tape using MSEO or robotic encrypt (e.g. HP encryption dongle) then you cannot use NetBackup KMS to decrypt it.