cancel
Showing results for 
Search instead for 
Did you mean: 

NBU KMS is supported to only selected devices

V4
Level 6
Partner Accredited

Was surprised to see only selected devices make model were enlisted under HCL for KMS.

 

We have Oracle SL 500 and wanted to leverage encryption with NBU KMS. Is it true?

 

Also pls confirm where do we need to verify if SL 500 is licensed for encryption use of LTO4 drives.

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Nicolai
Moderator
Moderator
Partner    VIP   

All LTO4 and newer support hardware encryption out of the box for free.

You just need to ensure - in some cases - the library has 3rd part encryption enabled as StefanosM mentioned earlier.

3rd part encryption mean, you do not want to use the vendor licensed encryption feature but a "other" solution. And this "other" is solution is NBU KMS.

Hope this clarify :)

View solution in original post

V4
Level 6
Partner Accredited

concluding my queries and answers to it

KMS = NBU = No License Required (Complementary after NBU 7.x)

Encryption = Done by Tape Drive (H/W) = Encryption License required from Tape H/W vendor

 

Customer got it licensed from Vendor and is now using it 

 

Generally Tape Vendors do have their own Key Management built in (again a licensed feature) However freedom of relying on Backup suites KMS is also given. Hence we can choose hybrid mode here (Encryption from Tape vendor and KMS from NBU)

 

View solution in original post

14 REPLIES 14

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

KMS support is a tape drive attribute - not a library function.

The LTO tape drives in an Oracle/STK libraries are normally HP or IBM. Could also be Quantum.
So, check the Tape Drives section of the HCL. Find the manufacturer of the tape drives in your SL500 library.

StefanosM
Level 6
Partner    VIP    Accredited Certified

Marianne is right.

Just to add that SL500 is not a Quantum library, so the drives are from IBM or HP (most probably).

You have to check the libraries’ documentation, how to enable the "inbound encryption" at the menu. Some libraries has to be activated (like IMB, without any cost) and some are already activated (like HPs)

Nicolai
Moderator
Moderator
Partner    VIP   

No license needed for NBU KMS.

Some vendors sell a library encryption option. Oracle call it "StorageTek Crypto Key Management system". But NBU KMS is drive encryption.Netbackup KMS control encryption via SCSI commands.

 

V4
Level 6
Partner Accredited

does tape library requires license from tape drive vendor for enabling encryption feature on tape drives?

How to verify which tape drives are available , i mean IBM or HP in SL500. Can tpconf help here?

 

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

No - as per Nicolai's post - no license is needed to enable KMS in NBU.

You can use commands such as 'scan -tape' or 'tpautoconf -t' to see drive details.

V4
Level 6
Partner Accredited

seems my interpretation went wrong here marianne.

I remember KMS is complimentary with NBU, license requirement is highlighted from Tape vendor for tape H/W drives to perform encryption at H/W level. 

Just needed clarification on this. Is it common across all vendors to get it licensed for activating features although drives are capable of performing encryption as per generation.

Thanx for syntax 

StefanosM
Level 6
Partner    VIP    Accredited Certified

If you want to use the libraries' specific KMS server, you must have a license from the library vendor. The KMS server (separate software at most cases) is communicating with the library and share the keys threw IP.

Netbackup use its own KMS server, which is free, and communicates with the drive directly, threw SCSI (FC).
You do not need a separate license from the library vendor to use netbackup KMS. You must only check the appropriate (if any -library specific) option from the libraries' menu.

Nicolai
Moderator
Moderator
Partner    VIP   

All LTO4 and newer support hardware encryption out of the box for free.

You just need to ensure - in some cases - the library has 3rd part encryption enabled as StefanosM mentioned earlier.

3rd part encryption mean, you do not want to use the vendor licensed encryption feature but a "other" solution. And this "other" is solution is NBU KMS.

Hope this clarify :)

V4
Level 6
Partner Accredited

just re-phrasing query again.

we would be leveraging NBU KMS (which is complimentary of course)

Did asked our tape vendor if it can be used instead of H/W KMS which all tape library (tape drives) has.

For H/W encryption to work needed clarification does SL500 requires license from Sun/Oracle

if not then how to verify Tape drives are encryption enabled and we can move ahead with KMS deployment.

Hope above was pretty clear for understanding

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

If you need to know how to verify KMS encryption, have a look at this discussion:

https://www-secure.symantec.com/connect/forums/verify-kms-encryption-netbackup-75

jim_dalton
Level 6

Then give it a try! LTO4 with T10 what you need to look for...nothing to do with robot, he just shifts media about: the encryption is straight down the scsi pipe - tho some robots tell you they are encrypting eg HP 8048 panel. I have that plus SL500, I dont recall seeing SL500 admin gui telling me its encrypting but nevertheless both use LTO4 (HP in one, IBM in the other) , both T10, both encrypt and both can decrpyt eachothers media.

Jim 

V4
Level 6
Partner Accredited

concluding my queries and answers to it

KMS = NBU = No License Required (Complementary after NBU 7.x)

Encryption = Done by Tape Drive (H/W) = Encryption License required from Tape H/W vendor

 

Customer got it licensed from Vendor and is now using it 

 

Generally Tape Vendors do have their own Key Management built in (again a licensed feature) However freedom of relying on Backup suites KMS is also given. Hence we can choose hybrid mode here (Encryption from Tape vendor and KMS from NBU)

 

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Interesting....

You simply repeat what Nicolai has told you and then mark your own post as solution....
Nice one! indecision

V4
Level 6
Partner Accredited
Got it corrected marianne...nicolai was correct...