10-07-2013 04:12 AM
Was surprised to see only selected devices make model were enlisted under HCL for KMS.
We have Oracle SL 500 and wanted to leverage encryption with NBU KMS. Is it true?
Also pls confirm where do we need to verify if SL 500 is licensed for encryption use of LTO4 drives.
Solved! Go to Solution.
10-08-2013 02:24 AM
All LTO4 and newer support hardware encryption out of the box for free.
You just need to ensure - in some cases - the library has 3rd part encryption enabled as StefanosM mentioned earlier.
3rd part encryption mean, you do not want to use the vendor licensed encryption feature but a "other" solution. And this "other" is solution is NBU KMS.
Hope this clarify :)
02-18-2014 08:18 PM
concluding my queries and answers to it
KMS = NBU = No License Required (Complementary after NBU 7.x)
Encryption = Done by Tape Drive (H/W) = Encryption License required from Tape H/W vendor
Customer got it licensed from Vendor and is now using it
Generally Tape Vendors do have their own Key Management built in (again a licensed feature) However freedom of relying on Backup suites KMS is also given. Hence we can choose hybrid mode here (Encryption from Tape vendor and KMS from NBU)
10-07-2013 04:44 AM
KMS support is a tape drive attribute - not a library function.
The LTO tape drives in an Oracle/STK libraries are normally HP or IBM. Could also be Quantum.
So, check the Tape Drives section of the HCL. Find the manufacturer of the tape drives in your SL500 library.
10-07-2013 04:59 AM
Marianne is right.
Just to add that SL500 is not a Quantum library, so the drives are from IBM or HP (most probably).
You have to check the libraries’ documentation, how to enable the "inbound encryption" at the menu. Some libraries has to be activated (like IMB, without any cost) and some are already activated (like HPs)
10-07-2013 05:04 AM
No license needed for NBU KMS.
Some vendors sell a library encryption option. Oracle call it "StorageTek Crypto Key Management system". But NBU KMS is drive encryption.Netbackup KMS control encryption via SCSI commands.
10-07-2013 08:20 AM
does tape library requires license from tape drive vendor for enabling encryption feature on tape drives?
How to verify which tape drives are available , i mean IBM or HP in SL500. Can tpconf help here?
10-07-2013 08:42 AM
No - as per Nicolai's post - no license is needed to enable KMS in NBU.
You can use commands such as 'scan -tape' or 'tpautoconf -t' to see drive details.
10-07-2013 10:07 AM
seems my interpretation went wrong here marianne.
I remember KMS is complimentary with NBU, license requirement is highlighted from Tape vendor for tape H/W drives to perform encryption at H/W level.
Just needed clarification on this. Is it common across all vendors to get it licensed for activating features although drives are capable of performing encryption as per generation.
Thanx for syntax
10-07-2013 10:46 AM
If you want to use the libraries' specific KMS server, you must have a license from the library vendor. The KMS server (separate software at most cases) is communicating with the library and share the keys threw IP.
Netbackup use its own KMS server, which is free, and communicates with the drive directly, threw SCSI (FC).
You do not need a separate license from the library vendor to use netbackup KMS. You must only check the appropriate (if any -library specific) option from the libraries' menu.
10-08-2013 02:24 AM
All LTO4 and newer support hardware encryption out of the box for free.
You just need to ensure - in some cases - the library has 3rd part encryption enabled as StefanosM mentioned earlier.
3rd part encryption mean, you do not want to use the vendor licensed encryption feature but a "other" solution. And this "other" is solution is NBU KMS.
Hope this clarify :)
10-08-2013 08:28 AM
just re-phrasing query again.
we would be leveraging NBU KMS (which is complimentary of course)
Did asked our tape vendor if it can be used instead of H/W KMS which all tape library (tape drives) has.
For H/W encryption to work needed clarification does SL500 requires license from Sun/Oracle
if not then how to verify Tape drives are encryption enabled and we can move ahead with KMS deployment.
Hope above was pretty clear for understanding
10-08-2013 11:47 AM
If you need to know how to verify KMS encryption, have a look at this discussion:
https://www-secure.symantec.com/connect/forums/verify-kms-encryption-netbackup-75
10-09-2013 09:11 AM
Then give it a try! LTO4 with T10 what you need to look for...nothing to do with robot, he just shifts media about: the encryption is straight down the scsi pipe - tho some robots tell you they are encrypting eg HP 8048 panel. I have that plus SL500, I dont recall seeing SL500 admin gui telling me its encrypting but nevertheless both use LTO4 (HP in one, IBM in the other) , both T10, both encrypt and both can decrpyt eachothers media.
Jim
02-18-2014 08:18 PM
concluding my queries and answers to it
KMS = NBU = No License Required (Complementary after NBU 7.x)
Encryption = Done by Tape Drive (H/W) = Encryption License required from Tape H/W vendor
Customer got it licensed from Vendor and is now using it
Generally Tape Vendors do have their own Key Management built in (again a licensed feature) However freedom of relying on Backup suites KMS is also given. Hence we can choose hybrid mode here (Encryption from Tape vendor and KMS from NBU)
02-18-2014 08:39 PM
Interesting....
You simply repeat what Nicolai has told you and then mark your own post as solution....
Nice one!
02-19-2014 01:21 AM