Solved: Tape drive compression and encryption with kms

J_H_Is_gone · ‎02-23-2010

Does anybody know that if I have been using tape drive compression....

and then I start using kms tape drive encryption with NB.....

does the tape drive compress and then encrypt?
So am I still getting my compression along with my encryption?

Ed_Oldroyd · ‎02-25-2010

That is not my understanding of KMS from Symantrec. It works with encryption capable drives such as LTO4, IBM TS1120 and I think by now Sun T10000B. Keys are generated and communicated to the drive technology and data from the drive buffer is compressed and then encrypted via the encryption chip built into the drives mentioned. MSEO on the other hand is server encryption so compression needs to be considered at the server level prior to encryption at the server level or yes tapes will bloat as encrypted data, although it will be applied through the drive buffer and compression chips will not enjoy compression. Compression and encryption takes cycles so plan accordingly with MSEO. MSEO fills the gap for drive technologies that do not have encryption capabilities such as LTO3.

302438 Veritas NetBackup 6.5.2 Documentation Updates

Key Management Service

The Key Management Service (KMS) feature runs on NetBackup 6.5.2 and is a master server based symmetric key management service that manages symmetric cryptography keys for tape drives that conform to the T10 standard (LTO4). KMS has been designed to uses volume pool based tape encryption. KMS is used with tape hardware that has built-in hardware encryption capability. An example tape drive with built-in encryption is the IBM ULTRIUM TD4 cartridge drive. KMS runs on Windows and UNIX. KMS generates keys from your passcodes or auto-generates keys. KMS operations are done through the KMS Command Line Interface (CLI). The CLI options are available for use with both nbms and bmkmsutil. KMS has a minimal impact on existing NetBackup operation system management and yet provides a foundation for future Key Management Service enhancements. The initial release of KMS has a limited feature set in this 6.5.2 unlicensed version with a limited number of key groups and key records for each key group.

View solution in original post

CRZ · ‎02-23-2010

I believe encryption negates compression, because after encryption you end up without the kind of patterns in your data that can be compressed. I know that using MSEO (Media Server Encryption Option) disables hardware compression (enabling its own SOFTWARE compression prior to encryption), but don't see anything in the KMS documentation either way.

If it DOES keep working, it won't give you much benefi

J_H_Is_gone · ‎02-23-2010

I was hoping because the tape drive did both that it would compress it then encrypt it.
I am done with my initial testing and am about to go with kms on one of my small sites.
I will have to see if I get any compression out of it. I would just hate for encryption to then cause me to use twice as many tapes.

Ed_Oldroyd · ‎02-25-2010

That is not my understanding of KMS from Symantrec. It works with encryption capable drives such as LTO4, IBM TS1120 and I think by now Sun T10000B. Keys are generated and communicated to the drive technology and data from the drive buffer is compressed and then encrypted via the encryption chip built into the drives mentioned. MSEO on the other hand is server encryption so compression needs to be considered at the server level prior to encryption at the server level or yes tapes will bloat as encrypted data, although it will be applied through the drive buffer and compression chips will not enjoy compression. Compression and encryption takes cycles so plan accordingly with MSEO. MSEO fills the gap for drive technologies that do not have encryption capabilities such as LTO3.

302438 Veritas NetBackup 6.5.2 Documentation Updates

Key Management Service

The Key Management Service (KMS) feature runs on NetBackup 6.5.2 and is a master server based symmetric key management service that manages symmetric cryptography keys for tape drives that conform to the T10 standard (LTO4). KMS has been designed to uses volume pool based tape encryption. KMS is used with tape hardware that has built-in hardware encryption capability. An example tape drive with built-in encryption is the IBM ULTRIUM TD4 cartridge drive. KMS runs on Windows and UNIX. KMS generates keys from your passcodes or auto-generates keys. KMS operations are done through the KMS Command Line Interface (CLI). The CLI options are available for use with both nbms and bmkmsutil. KMS has a minimal impact on existing NetBackup operation system management and yet provides a foundation for future Key Management Service enhancements. The initial release of KMS has a limited feature set in this 6.5.2 unlicensed version with a limited number of key groups and key records for each key group.

J_H_Is_gone · ‎03-03-2010

Just wanted to share my stats, on compression and encryption.

I am using NetBackups kms (not mseo) application managed tape encryption.

I have one full tape that is encrypted. All the other full's are NOT encrypted.

I seem to be getting about the same in the amount of data on the tapes.

Less than D00000 but more the D00022 - it all depends on the data.

So to me it appears that as the tape drive is doing both the compression and the encryption it is working well.

I am using LTO4's in an IBM TS3310 library. With NetBackup 6.5.5 that allows 2 encrypted volume pools.

I also have not noticed any change in my backup times ( but this is my smaller site) and no overhead on the media server.

Media ID Retention Period Images Valid Images Kilobytes Status

D00000 2 weeks 350 350 1906511824 Full MPX

D00001 2 weeks 338 338 1844456169 Full MPX

D00008 2 weeks 432 432 1896950470 Full MPX encrypted

D00018 2 weeks 343 343 1935539291 Full MPX

D00022 6 months 225 225 1549978248 Full MPX

D00032 2 weeks 366 366 1973503009 Full MPX

D00034 2 weeks 403 403 1711366221 Full MPX

D00037 2 weeks 344 344 1937260418 Full MPX

VOX

Tape drive compression and encryption with kms