just to want to know if somebody has the same experience (it is about HP library LTO7 HW encryption, but it probably does not matter):
- when you switch HW encryption from on to off , Active/Full media with encrypted images cannot be read/written, ending with "error reading header block" and set to Frozen state. Thats expected.
- when you switch it from off to on, partially full (=Active, and HW unencrypted) tapes cannot serve for writing additional images. A new job writing attempt is ending with " could not write tape mark to begin new image" and tape set to Frozen, too. That was a bit unexpected to me, since I thought that tape can start with unencrypted images and go on with encrypted images from some point. But it seems encr is on tape level and not image level.
Does somebody have any comments to this topic?
Solved! Go to Solution.
I assume that you use HP KMS and not netbackup KMS
The encryption is hardware encryption and the encryption hardware is part of tape drive. So the encryption is at tape level. You can not switch encryption on and off and appending backups on the same tape. You have to split your tapes to encrypted and unencrypted.
I don not see the reason to write both encrypted and unencrypted backup to a tape. if you really need this, the only option you have is to use software encryption, which will slow down your backups and it is not recommended.
In fact I do not see the reason to do unencrypted backups.
All what Stefanos said ...
I would say this make sense.
- when you switch HW encryption from on to off , Active/Full media with encrypted images cannot be read/written, ending with "error reading header block" and set to Frozen state.
Netbackup cannot read the encrypted backup images header, nor can it retrieve the encryption key because the key is controlled by the library. If you want encryption granularity on tape volume group, you need to switch to NBU KMS. NBU KMS works great and is easy to configure - just remember to save the encryption key in a safe place.
thanks for answers. My intention is not to mix both unencrypted and encrypted backups on tapes, the question was targeting a situation where you implement HW encryption on a system which has been already running as unencrypted for some time.