cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Native Tape Library based Encryption Vs. Symantec KMS; Need some clarifications...

Go to solution
symanuser
Level 4

‎10-09-2014 06:07 PM

Hi all,

I would like to know whether is it possible to encrypt backups (NDMP backups) if there is encryption support built-in to the tape library (i.e. hardware based encryption) WITHOUT using Symantec Key Management System (KMS)?

If we are not to use Symantec KMS, how we should managed encryption keys? Is it directly from tape library GUI ?

What advantages that Symantec KMS would give in manageing Encryption keys with KMS?

Can we use the hardware based encryption in all LTO4, LTO5 & LTO6 tapes, provided that we have respective tape drives with adequate licenses ?

Finally, what are the versions of Symantec that support KMS?


Thank you in advanced :)
 

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
mph999
Level 6
Employee Accredited

‎10-13-2014 03:32 AM

I would agree with your summary.

KMS allows auto-generation or generation via pass-phrase.  You cannot supply your own keys.

You can backup the DB files that stores the keys so this is fine for DR - this is all covered in the Security and Encryption guide (quiesce the DB first, then backup the files)

It is recommened to use pass phrase to generate the keys, this way, even if they are lost, if you use the same pass phrase then you can regenerate the same keys.  Auto generation does not allow this, so if you lost the keys, you are in a lot of trouble.

 

 

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
mph999
Level 6
Employee Accredited

‎10-09-2014 11:22 PM

If the library is capable of encryption, then KMS is not required, check with the library vendor.

NDMP backups could be encrypted, yes.

If the libray can do encryption, then keys would be managed from the library.

KMS is simply another way of managing keys - you may find it easier than using the library.

LTO4 and above supports encryption.

For NBU KMS version info, chcek the compatability guide.  NBU 7.0 and above.

0 Kudos

Go to solution
pkh
Moderator
Moderator
   VIP    Certified

‎10-10-2014 12:32 AM

If you use LME (library managed encryption) then an application like NBU have nothing to do with the encryption/decryption of the data. This can be a disadvantage in a DR situation. For example, you are using a HP drive at your data centre, but you are provided with a Dell drive at your DR site. You might find that it is impossible to provide the let to decrypt your data at the DR site. Each vendor has its own way of providing the key. For HP drives, you can buy a pair a similar USB dongles. Loose these dongles and there is no way to decrypt your data. If you use AME (application managed encryption) then you just need to provide the encryption key to the application, like NBU, to decrypt the data
0 Kudos

Go to solution
mph999
Level 6
Employee Accredited

‎10-10-2014 01:00 AM

As I was taught ...

Encryption is easy, it's the key management that gets you ...

0 Kudos

Go to solution
symanuser
Level 4

‎10-10-2014 05:18 PM

Hi Guys,

We have TS3200 tape library with Transparent LTO Encryption licenses. We also have Symantec NetBackup 7.5 running in our environment. Our requirement is to encrypt NDMP backups which are triggered from NAS filers.

 

So, if my understanding is correct it is like this...



Our  first option would be, to use the keys provided with Tape library to encrypt the NDMP backups. That way Symantec KMS is not need (required) and managing the keys should be done from Tape library web interface.


Option two would be to use Symantec KMS to manage encryption keys. That way I would be able to import the keys in the tape library or else I would be able to provide keys either via auto-genaration or by manual means, to the tape library to do the encryption. That way, Symantec KMS makes management of keys and rotation of keys easier.

Please correct me, if I am wrong.


Finally, there is a question on how to protect the keys assuming that we are using Symantec KMS to manage our keys? Will catalog backup include the keys we used for hardware based (library based) encryption? Or is there any other way that we can use to backup the keys that we used for encryption?


Thank you in advanced.

 

0 Kudos

Go to solution
mph999
Level 6
Employee Accredited

‎10-13-2014 03:32 AM

I would agree with your summary.

KMS allows auto-generation or generation via pass-phrase.  You cannot supply your own keys.

You can backup the DB files that stores the keys so this is fine for DR - this is all covered in the Security and Encryption guide (quiesce the DB first, then backup the files)

It is recommened to use pass phrase to generate the keys, this way, even if they are lost, if you use the same pass phrase then you can regenerate the same keys.  Auto generation does not allow this, so if you lost the keys, you are in a lot of trouble.

 

 

0 Kudos

Go to solution
symanuser
Level 4

‎10-13-2014 06:06 AM

Hi mph999,

According to what you have mentioned, if backup key database files then, we recover from a disaster. I mean suppose, we lost our Symantec Netbackup Master and Media server due to some reason. If we have been using pass phrases to generate keys then, after reinstalling same NB software we can regenerate the same keys so that we can decrypt whatever the backups that we had encrypted before.

Alternatively, we can achieve the same if we can resotore NB Key database files after reinstalling NB in a server.

Please confirm; I mean kindly correct me, if I am wrong.


Thank you.

 

0 Kudos

Go to solution
mph999
Level 6
Employee Accredited

‎10-13-2014 06:10 AM

Yes, that is correct.

You can backup the DB files and restore (to a none encrypted pool of course) or re-generate the same keys by using the pass-phrase option.

M

0 Kudos