Highlighted

Symantec NetBackup Encryption

1) If I'm is trying to move away from a Brocade Encryption Switch (BES) since it has been announced EOL, can NBU be used to unencrypt the tapes that were already encrypted with BES and then can NBU encrypt them again using different keys so that all these tapes' encryption keys can be migrated from BES to NBU (so BES can be removed completely eventually)?
2) If encryption is occurring at the tape drive by NBU KMS encryption, will there be backwards compatibility from LTO-7 to LTO-5 or LTO-4?
3) Would the unencryption of the tapes have to be done by the BES or NetApp DataFort (which the customer also has)?
1 Solution

Accepted Solutions
Accepted Solution!

1) Yes, as long as your

1) Yes, as long as your restore works, then a duplication of data encrypted via Brocade BES will be seamless to NetBackup - and so when duplicating to a NetBackup KMS encrypted pool - data will be re-encrypted at the tape drive head.

2) Yes, but do check the LTO Organization's published literature.

3) Unable to answer, as you haven't described the configuration.

.

Questions:

Q4) I think the answer to Q3, depends upon how you answer this... Is Brocade BES a form of carrier encryption only - i.e. does encrypt the contents of the FC frame, and then decrypt just before it hits the tape drive?  If so, then your tapes are not already encrypted.

Q5) Or does Brocade BES actually encrypt the backup data within FC packets, and if so, then how does it distinguish between SCSI command traffic and backup data?

View solution in original post

1 Reply
Accepted Solution!

1) Yes, as long as your

1) Yes, as long as your restore works, then a duplication of data encrypted via Brocade BES will be seamless to NetBackup - and so when duplicating to a NetBackup KMS encrypted pool - data will be re-encrypted at the tape drive head.

2) Yes, but do check the LTO Organization's published literature.

3) Unable to answer, as you haven't described the configuration.

.

Questions:

Q4) I think the answer to Q3, depends upon how you answer this... Is Brocade BES a form of carrier encryption only - i.e. does encrypt the contents of the FC frame, and then decrypt just before it hits the tape drive?  If so, then your tapes are not already encrypted.

Q5) Or does Brocade BES actually encrypt the backup data within FC packets, and if so, then how does it distinguish between SCSI command traffic and backup data?

View solution in original post