cancel
Showing results for 
Search instead for 
Did you mean: 

Restoring tape library encrypted data in another environment with different tape library

DPO
Level 6

We have a site where backups are taken to tapes and we don't use KMS instead encryption is enabled by default at tape library/drive level (default setting). Library is from IBM with IBM drives.

Now the situation is to import those tapes in another environment where we use Oracle tape library with HP drives.

Is that doable ?

All the environments are running same NB version

8 REPLIES 8

Nicolai
Moderator
Moderator
Partner    VIP   

If you can get the encryption paraphrase/key from the tape library.

As LTO uses either AES128 or AES256, the encryption algorithm is the same on both IBM and HP.

You may have to ship the IBM tape robot to the second site, in order to import and copy the tapes.

mph999
Level 6
Employee Accredited

It will be KMS, just that the keys are controlled by the library, not NBU.  It depends if you can transfer the KMS keys from library 1 to library 2.  I doubt it is posisble, but you would have to ask IBM /Oracle - last case I saw on this it wasn't possible, but I cannot remember the makes /models of the libraries.

It's not in the vendors interest to allow keys to be swapped beteen vendors - that way it potentially keeps you tied to one brand.

From the NBU perspective, we don't care, in fact - providing the library is doing it's job properly, we don't even know the data is encrypted.

It is probbaly more sensibe to use NBU KMS if you need to transfer data between locations. - even then, you have to plan carefully and craete the same keys at both sites, prefereably in advance of needing them.  WIth NBU KMS you cannot merge keys from two locations, you have to either replace all, or create the same key at both sides (never allow NBU to automatically create the pass phrase, otherwise this wouldn't be possible).

mph999
Level 6
Employee Accredited

"You may have to ship the IBM tape robot to the second site, in order to import and copy the tapes." 

- ahh, good thinking ....

I don't think this site has KMS or any other encryption algorithm used. They neither setup any passphrase. They are using library default settings which shows Library managed encryption. And shipping the robot or drives to second site is not possible. 

Also I'm talking about the tapes that were already backed up. My question was very straight forward. 

Hope this clarifies both of you.

sdo
Moderator
Moderator
Partner    VIP    Certified

@mph999 's point is that it will be using a KMS.  KMS is a generic term across multiple vendors.  We know it's not "NetBackup KMS", and we know the library and drives are IBM, so it is highly likely that it will be using a library local form "IBM KMS".  All KMS communicate their "encryption management" to all LTO drives using SCSI T10 protocol.  As to whether the encryption (which is performed at the tape drive head) is AES128 or AES256 then you would have to check the actual tape drive specs.  Indeed, some KMS are independent, e.g. some KMS are used to control pass-phrases and encryption keys across multiple device types from multiple vendors.

Anyway, I suspect that all of this is irrelevant anyway.  You have stated quite clearly that library managed encryption is enabled.  This sounds to me very much like the tapes are encrypted.  How do you prove this?  Refer to the vendor documentation.  Yet, you say they never setup any pass-phrases.  This is the worst possible situation to be in.  Basically they have no real control on their encryption, other than to enable or disable it.  By not managing the pass-phrases themselves they have effectively locked all media to that one library.

If this is true then the IBM KMS must have selected random pass-phrases for itself from which to generate keys for itself.  If you can acquire a copy of the encryption pass-phrases and the "salt" in plain text then it might be possible to re-use those pass-phrases in another vendor's "KMS", but I very much doubt this would work.

In short I don't think you can do anything except keep the old library and old tapes around for as long as possible until all retentions have expired.

The other site Im talking about is not the one we manage so i have very little info on it. But as far as I Know it is IBM TS3100. Also on our side we use NBKMS for tape encryption. Lets assume if I get passhrase how can I import it in Oracle SL150 library ? I dont see an option to configure tape library level encryption but the drives support encryption that is why we are able to perform encryption to tapes .And as per my last discussion they haven't setup any passhrase. What if we dont know the passphrase.

sdo
Moderator
Moderator
Partner    VIP    Certified

P1) The other site Im talking about is not the one we manage so i have very little info on it.

A1) ok

.

P2) But as far as I Know it is IBM TS3100.

A2) ok

.

P3) Also on our side we use NBKMS for tape encryption.

A3) ok - I assume that this means that you are using NetBackup KMS to encrypt tapes in your Oracle SL150 library?

.

P4) Lets assume if I get passhrase how can I import it in Oracle SL150 library ?

A4) I wouldn't know.  That is a vendor specific question for Oracle tape libraries.  Refer to product documentation.  Nothing at all to do with NetBackup.  Unless are you asking if / whether you can get the IBM TS3100 pass-phrases and salt, then might those work with NetBackup KMS to your Oracle SL150?  As I and others have said, we very much doubt this.  You would be relying on both the IBM TS3100 and NetBackup KMS both having and using exactly the same "mathematical key folding" algorithm, and this is very unlikely indeed.

.

P5) I dont see an option to configure tape library level encryption but the drives support encryption that is why we are able to perform encryption to tapes.

A5) Indeed - this is NetBackup KMS talking via SCSI T10 to the tape drives themselves.

.

P6) And as per my last discussion they haven't setup any passhrase.

A6) Oh dear.  Then the library must have selected random pass-phrases for itself from which to effectively generate random encryption keys which are effectively private to that library.

.

P7) What if we dont know the passphrase.

A7) Then there is nothing that you can do.  Nothing anyone else can do.  The tapes have been encrypted by a private key holder.  The private key holder is the tape library itself.  All you can do is to wait for the data to logically expire.  You are stuck, because any encrypted tapes are effectively permanently locked to that one single tape library.

I think now we are all in same page. Yes i was **bleep** sure that it may not be possible to import tapes encrypted by one library vendor using another library vendor. If it was NBKMS a cake walk for me .. i just wanted to check if someone ever faced this kind of scenario.. Now it is interesting. Let me explore other options. As always please share if you can think of a solution.