Nicki Messerschmidt <[email protected]> writes: > does anyone know a good tape library which supports hardware encryption > under linux with amanda?
Any LTO-4 drive supports encryption, but you need special software to control it. An LTO FAQ (<http://www.lto-technology.com/About/faq.php>) says: : 8: What will users have to do to utilize LTO encryption? : : Users will enable encryption/decryption on the encrypting Generation 4 : tape drive and provide a key. : : The Generation 4 specification states that LTO Generation 4 drives : support the SCSI Security Protocol commands, which may be used to : enable encryption, and provide a key to the drive. Some vendor : implementations may enable encryption and provide a key through a : proprietary channel. Vendors seem to prefer the proprietary channel. This usually means that a special key management system (either software or appliance-style (software bundled with special/proprietary hardware)) talks via Ethernet/IP with the library (this kind of communication is called out-band), and the library talks via a library-internal connection with the tape drive. Quantum offers a software product called Q-EKM (see <http://www.quantum.com/Solutions/encryption/Index.aspx>, there is a more detailled whitepaper). It is Java-based Software running on a dedicated computer; a redundant configuration is strongly suggested. It is licensed by the number of cartridge slots in the libraries; AFAIR it costs something in the EUR 5000 range for 200 slots. Hewlett-Packard offers an appliance product called Secure Key Manager (see <http://h18006.www1.hp.com/products/storageworks/secure_key/index.html>). A product review on <http://www.speicherguide.de/magazin/produkte.asp?todo=de&theID=922&mtyp=> mentions a nearly EUR 70000 price tag. IBM's products seem to be different (and less proprietary). An article (<http://www.speicherguide.de/magazin/security.asp?todo=de&theID=2373&lv=700&mtyp=>) suggests that IBM's backup software ("Tivoli") contains key management and communicates in-band directly with the drive (via fibre channel). IMHO only the in-band way makes sense for free software. Some to-be-written software manages the keys and communicates via SCSI commands (via SAS or FC connection) with the drive. It has to use a "SCSI Security Protocol" that specifies special commands: - SECURITY PROTOCOL IN - SECURITY PROTOCOL OUT Unfortunately I do not have access to the standards. An I have neither enough low-level-SCSI nor encryption knowledge/experience... Thats what I managed to learn about LTO hardware encryption... Sven
