cancel
Showing results for 
Search instead for 
Did you mean: 

KMS Encryption with direct NDMP backups

alstarian
Level 3

Hi All,

There seems to be a confusion in the way I am encrypting my NDMP backups using KMS software encrytption

 using the article (https://www.veritas.com/support/en_US/article.TECH67972).

I had callled up netbackup support who helped me configure this and we verified this by looking at the images written to tape and in the "encryption key tag" coloum we could see the encyption key generated.

i am using LTO5 drives with my Tape libraray.

Now someone as informed me that KMS based software encrpytion is not supported for direct NDMP backups and I need hardware based solution to work?

The only reason I went for  the KMS encrpytion was because we did not want to spend on the hardware and since KMS was free and a part of the software as confirmed by the support technician I worked with.

Can someone please clarify this for me if i am using the correct way to encrypt my direct NDMP backups using the KMS procedure mentoined in the article above?

-A

1 ACCEPTED SOLUTION

Accepted Solutions

Nicolai
Moderator
Moderator
Partner    VIP   

If NDMP images has encryption key tags, you can be 100% sure encryption has taken place.

Neither client side encryption or media server encryption uses key tags. 

How to verify KMS encrypted the backup

http://www.veritas.com/docs/000006206

Alternative try option 3 in the tech note - that should for sure give you a status erro 85 upon restore.

 

View solution in original post

9 REPLIES 9

alstarian
Level 3

The last point that I was told that if my tape drives support the T10 encryption standard I could use them to encrypt my NDMP backups...

alstarian
Level 3

Going by this article.. I think KMS can be used for local NDMP backups as long as the drives support the T10 standard..

 

http://www.daymarksi.com/storage-navigator/bid/45926/Tape-Encryption-and-Key-Management-Utilities

alstarian
Level 3

Hi Areznik,

Thanks for your response on this, I am kinda curious that if KMS cant encrypt my local NDMP backups then when I search for my images on tape for ndmp backups (Reports --> tape reports --> images on tape) i see a encyrption key tag being generated.

If there was no way for the backup server to send the encryption keys then how can that key tag be generated?

 

encr.JPG

 

-A

areznik
Level 5

Hmm, I thought T10 was a reference to STK/Sun/Oracle T10K drives. Reading more about it, it looks like you're right and its a hardware encryption standard that's supported by Netbackup's KMS. Never heard of this before, sounds interesting. Hopefully someone else has experience with it and can tell us how it works. 

Ran across this link, maybe it will help you: https://www.veritas.com/support/en_US/article.HOWTO56305

alstarian
Level 3

Yea, I had ran this T10 test on my drives and that's how i confirmed that my drives support this standard.. and yea hopefully someone with greater knowledge about this can bail us out!

 

Nicolai
Moderator
Moderator
Partner    VIP   

If NDMP images has encryption key tags, you can be 100% sure encryption has taken place.

Neither client side encryption or media server encryption uses key tags. 

How to verify KMS encrypted the backup

http://www.veritas.com/docs/000006206

Alternative try option 3 in the tech note - that should for sure give you a status erro 85 upon restore.

 

mph999
Level 6
Employee Accredited

KMS is not sopftware encryption.

KMS is a key management service, the keys are passed to the tape drives, so KMS is effectively hardware encryption.

alstarian
Level 3

Thanks Nicolai for your perfect response, I did try the option 3 in that tech note and like u mentioned it failed without the keys being active and then when I re-activated it I was able to restore the data.

So now I know the encryption is indeed taking place!

areznik
Level 5

I don't think you can get Netbackup KMS to work with direct NDMP backups, where the drive is attached/zoned to the NAS filer. The reason is that KMS is a software encryption solution that is part of Netbackup, it has to take place on a Netbackup media server. When you do a NDMP backup to a direct attached tape drive, the data is going straight from the NAS filer to the tape drive without ever landing on the NetBackup server. Thus there is no chance to encrypt it before its sent to the drive. 

EDIT - I was wrong in the above statement, KMS is hardware encryption, not software. MSEO or policy level encryption is what i was thinking of. 

Now the so-called hardware encryption - this is just encryption that happens on the tape drive itself. It is done right before the data is physically written to tape, and Netbackup is mostly unaware that its happening. This kind of encryption would work with direct NDMP backups. The caveat as you probably already found out is that since Netbackup is not involved, you usually need another device known as the Key Management server to implement this kind of encryption scheme. This server acts a central key repository that hands out encryption keys to tape drives and keeps track of which tapes were encrypted with which keys so that you can do restores later. 

T10 is one type this kind of encryption, but since you have LTO5 drives, you would most likely be using LTO encryption. Several vendors out there have encryption solutions that can be used with LTO drives but often they will only work with that vendor's tape libraries. So if you're using IBM tape libraries you will most likely be stuck with IBM's TKLM and if you're on Oracle you will need their OKM solution.

I would recommend you to read up on this and contact the various vendors to find out what they are offering as a solution to this problem, then present the options to your management to see how they want to proceed.