02-02-2023 03:32 AM
We have NBU 220.127.116.11 master server on RHEL with Flex5250 appliances as media server.
We are refreshing our tape library hardware with IBM TS4500 library with ts1160 drives
We would like to enable tape storage encryption via netbackup .
On the IBM library , we have 2 options
1. Application managed encryption ( AME ) . if the netbackup generates and manages encryption policies and keys
2. Library managed encryption (LME ) . encryption transparent to Backup software . ie Netbackup
Does netbackup support both methods ? do we have any documentation around this ?
does anyone have experience setting this up ?
02-02-2023 03:55 AM
netbackup can work with both options. The difference is who is responsible for the encryption keys.
With the first option (Application managed encryption) you have to setup and configure the netbackup KMS option (free) in netbackup primary server and create new volume pools that start with the ENCR_ prefix.
And you can enable or disable the encryption depending the destination pool.
check the netbackup security and encryption manual
With the second option (Library managed encryption) you have to setup and configure the IBM kms server (not free).
The tape drive(s) you configure in IBM kms server will always encrypt the data.
02-02-2023 05:06 AM
You should go for NBU KMS in my view.
Using NBU KMS allows you to change library without being bound to the library. If using library managed encryption, you are bound to the library.
Just think of a catastrophic disaster where library is gone. With NBU KMS you can use any LTO tape drive with the same form factor to start restoring. That is not the case with LME.
Configuring NBU KMS is simple and straightforward. Considering how to manage the encryption phrases and keep them safe is a important part of the task.
02-02-2023 05:33 AM
I guess the final option should be a security team decision, not backup team decision.
02-02-2023 06:31 AM
Maybe, if such a team exist. It will be a backup team problem to re-establish the backup/restore service, so they should have a saying in creating the disaster recovery plan for their area.
Also remember to configure the KMS backup routine, and the location of those backup's should of cause not be on devices encrypted by KMS. Else you have a catch 22.
02-06-2023 06:12 AM
If you use NetBackup KMS .....
How to set it up is contained in the security and encryption guide - it is pretty easy to get it working if you read through carefully.
What you MUST do is back the keys up (it cannot be done automatically), and then test test restoring them and proving that you can still restore.
I have seen multiple cases where this was not done and the result is you can't get your data, Veritas has no 'back door'. The manuals cover how to do this.
Encryption is easy, it's the key management that will spoil your day.