cancel
Showing results for 
Search instead for 
Did you mean: 

Question on hardware tape encryption and key management

zmlat
Level 4

Hi,

I'm trying to read an encrypted tape, that was written to using NetBackup using hardware encryption (LTO5 drives on a quantum library). We used NB's key management so I have the keys. Now I'm trying to read the tape using a 3rd party application. Which part of the tape restore prcocess is responsible for using those keys? In other words, would I "import" those keys to the library, the OS, or the application? The application vendor is telling me their application supports reading from hardware encrypted tapes, but the keys "need to be entered into the library and decoded there".  I've been navigating the tape library management portal and don't see where I can add keys. I have a call into Quantum to get some clarification, but not really familiar with encryption keys, other than setting them up in NB.

 

8 REPLIES 8

davidmoline
Level 6
Employee

Hi Zmlat

I'm assuming you are referring to KMS encryption and not MSEO or client encryption.
IIRC, when writing to the tape media using tape encryption (ENCRPYT_pool), the bptm process obtains the appropriate key from the KMS server and sends that to the tape drive via an IOCTL. This setup up the hardware encryption. 

When reading the tape, the tape header contains a reference to the the key, which the bptm process will then get the key from the KMS server and again send that to the drive via an IOCTL to be able to read the encrypted data.

At no stage does the library itself become involved in the process, it is all performed directly between NetBackup and the tape drives. 

Hope this helps
David

mph999
Level 6
Employee Accredited

It is not possible to take the keys from NetBackup and import them into the library (for the library to take over the key management).

Although you have the keys (KMS_DATA.dat, KMS_HMKF.dat, and KMS_KPKF.dat files) the actual encryption keys are encrypted themselves.  There is no way to manually unencrypt them.

Thanks for the replies.

Doing a POC on a product called Index Engines and I'm getting conflicting info from Quantum and IE. IE does state they "support KMS". The idea here is to be able to restore from legacy NB catalogs without maintaining legacy NB master(s).

mph999
Level 6
Employee Accredited

I have been asked this question before (for restore via some 3rd party product), and on checking with Engineering if it was possible, I was told it was not.

As a matter of interest, what 'format' do you have the keys in - the KMS_DATA.dat, KMS_HMKF.dat, and KMS_KPKF.dat files ???

mph999
Level 6
Employee Accredited

Libraries that support KMS have their own KMS key managament.  It will be possible to move keys between libraries, but it is not possible to move the keys from a library into NetBackup.  In the same way, it is not possible to move the keys from NetBackup to the libarary.  The 3rd party vendors tool can (and this is an educated guess) read tapes when the library has been doing the key management. (so effectively the tool just 'takes the place of netbackup).

I wonder if they overlooked the fact that you cannot move the keys from netbackup to the library ...

sdo
Moderator
Moderator
Partner    VIP    Certified

@zmlat there are many variants of KMS.  A "KMS" is not a thing, a "KMS" is a type.  NetBackup has a KMS.  IBM have a KMS.  Quantum have a KMS.  They are all a forms of KMS.  They are not interoperable.  Just like I might have a car from Japan, and you might have a car from Germany.  They are both cars, but the keys probably take very different forms.

So after working with the product, what it evidently does is to get the key from NB when it catalogs the tape. It does some basic NB commands to determine which tape(s) are required for a restore, then I need to "index" the tape into the software and at that point it gets the keys from the KMS file. The cause of this particular problem was that it was looking for the *.dat files in /opt/openv/... Doesn't give me a warm and fuzzy about the product since for as long as I have been working with NB (since 1996), its always been in /usr/openv/... (or a link from there).

Interesting that you ask about the format, since now the product does find the "dat" file, but its expecting a certain 80 byte count, and its erroring out on that.  I see all 3 files on my master, in /usr/openv/kms/.... Wondering if its querying the wrong file ??? 

# find . -name "*.dat"
./db/KMS_DATA.dat
./key/KMS_HMKF.dat
./key/KMS_KPKF.dat

sdo
Moderator
Moderator
Partner    VIP    Certified

Only NetBackup Server with NetBackup KMS will be able to read a tape written using NetBackup KMS - because only NetBackup KMS knows how to manage the keys, and only NetBackup Server knows when to send the correctly formatted SCSI command down to tape drive to turn encryption on/off for either writing or reading.

You are never going to be able to read an encrypted tape unless you :

a) use NetBackup Server and NetBackup KMS and you have a backup copy of the NetBackup KMS keys (if originally randomly generated), or you are able to re-create the keys (if originally created from pass-phrases)

or

b) you are somehow able reverse engineer NetBackup and then use that acquired knowledge to then basically develop your own application program code which will be your own private NetBackup tape reader and SCSI command processor.