01-02-2020 07:04 AM
Hi,
we want to start using encryption on our Powervault LT4000 LTO7 drives. I've been digging into some documentation but one thing is not clear. I you use KMS, do you then also need the encryption licenses on the Powervault media libraries (i noticed on each Powervault admin menu you can add a license to enable encryption)?
Thx!
01-02-2020 06:33 PM
Hi There
If you use KMS you are right you do not need, nor should you obtain the encryption license for the powervault.
If I'm not mistaken, the powervault encryption license enables the Powervault to manage encryption only (completly independantly of NetBackup).
KMS allows the native capability of the LTO7 drives to encrypt data written to tape.
HTH
01-03-2020 12:24 AM - edited 01-03-2020 04:54 AM
You definitive want to go with the Netbackup KMS option. It is relative straight forward setup and once configured, doesn't need any maintenance. Don't buy encryption license on a library level, if you replace the library you loose the option to restore data, whereas Netbackup KMS doesn't have that limitation.
That said - you need to think about how you will manage the encryption keys (passphrases). If the passphrase is static - no problem. But if you plan to change the passphrase faster than youre longest retention, then you will have to figure out how to match passphrases vs. time period manually. Netbackup doesn't help you here.
How to Export and Import Encryption Keys Using the NetBackup KMS
https://www.veritas.com/content/support/en_US/article.100003573