06-11-2013 12:31 PM
Hi All,
Our environment is Netbackup 7.1 on Solaris 10 , connected to SL library [ TD 4 drives ] through NDMP host
we have got a scenario of encrypting 500 non-encrypted tapes before shipping to offsite.
On some research found some options...
1) Configure KMS and do hardware based encryption
we have configured KMS in master server , created one ENCR_volumepool and tried image duplication from non-encrypted tape to ENCR_Volumepool through catalog and it's working fine .. But the drawback is , it's only working to LTO 4 tapes and it's failing on LTO 3 tapes... now we have to purchase 500 LTO 4 tapes , to go with this option
2) Heard about MSEO [ Media server Encryption ] , but not sure whether it helps our scenario of encrypting tapes through duplication.
Also if you have any ideas / suggestions on encrypting non-encrypted tapes.. kindly suggest. Thanks.
Regards,
Satish Kumar
Solved! Go to Solution.
06-11-2013 01:22 PM
Satish,
Hardware Encryption for LTO3 tape drives was not available at the time the drives were released so generally LTO3 tapes are not supported for the same hardware encryption.
MSEO is software based compression and encryption. You would have to make sure to size your media server to add the encryption load but it would support encryption LTO3 tapes and drives. MSEO is installed seperately and has it's own KMS management.
http://www.symantec.com/docs/HOWTO70072
Regards,
Skip
06-11-2013 01:22 PM
Satish,
Hardware Encryption for LTO3 tape drives was not available at the time the drives were released so generally LTO3 tapes are not supported for the same hardware encryption.
MSEO is software based compression and encryption. You would have to make sure to size your media server to add the encryption load but it would support encryption LTO3 tapes and drives. MSEO is installed seperately and has it's own KMS management.
http://www.symantec.com/docs/HOWTO70072
Regards,
Skip
06-11-2013 01:46 PM
Hi Skip,
Thanks for your reply. so would like to confirm whether MSEO satisfies our requirement of encrypting 500 non-encrypted tapes through duplicating images from tape to tape manually as I feel , it would work effectively for any client based direct backup.
Alternatively , do we have any option to encrypt tapes , which were already written and have data inside ?
Regards,
Satish
06-11-2013 02:03 PM
If the data is already on tape, there is no way to encrypt. You could duplicate your existing tapes to an encrypted drive then expire the copy 1 (the originals).
06-11-2013 03:03 PM
MSEO would work to run a duplicate from one drive to another and encrypt the data. It would read in the non-encrypted data and then write it out encrypted to the second drive.
06-12-2013 12:09 AM
Hi Skip,
Many thanks for your suggestion. A final question :)
1) MSEO requires a seperate license ? (or) It can be manageable with normal encryption license in master server [ Because we already have encryption license added and can see the encrypt check box in policies ... Does it mean it is CE [ Client Encryption ] ?
2) MSEO is compatible with LTO 3 tapes and TD 3 drives also ? or we need TD 4 and LTO 4 and latest versions ?
3) What happens when restoration from these encrypted tapes in future to same master server [ No action required ? ] and different master server [ we need to import data from tape and use the same keys ? ]
Regards,
Satish
06-12-2013 12:44 AM
Hi Skip,
Also if we license MSEO , all the backup jobs will get encrypted (or) we can restrict it to some policies..
Also since we are duplicating from catalog [ But not from policy ] , how to use the MSEO encryption feature ?
Thanks.
Satish
06-12-2013 01:47 AM
Hi Satish ,
Yes. MSEO is license based and you need a license per media server basis.
You can do encryption or compression based on volume pool number . If you are encrypting /decrypting with same media server then no problem but if you are trying to import tapes at DR site then you need to import key from source media server to destination server.
Regards,
Paramesh.
06-12-2013 10:57 AM
Hi Paramesh,
Thanks for your suggestion.
so this MSEO option is comptabile with NDMP policy also right ? All we need is to set the Policy storage unit to "Volume pool" , which have encryption configured through MSEO [ Just like KMS ] and fire the backup ? In NDMP case, any MSEO agent required in host end ?
Also Is this MSEO is a GUI based (or) it's CLI execution ? [ My master server is solaris ] . Can security keys easily managed through this GUI ?
Regards,
Satish Kumar
06-12-2013 06:06 PM
Satish,
There is some configuration that is required. You will need to setup the security server and the MSEO agent on each media server that will use it. There is a MSEO GUI and command line to manage the keys and setup. There are different compression and encryption settings that you can configure and then policy configurations. Here is a link to the MSEO 6.1.8 documentation. It includes an Admin guide and release notes guide.
http://www.symantec.com/docs/DOC6159
Certain LTO3 drives are supported as well as NDMP jobs. The SORT site (sort.symantec.com) has a link to the install checklist where you can check compatibility for your hardware.
Skip