On 04/17/2013 02:25:05 AM, Sven Rudolph wrote:
Marcus Pless <[email protected]> writes:
> I'm researching a possible LTO6 library purchase and we would very
> much like to take advantage of the encryption capabilities of the
> tape drives. My understanding is that this requires an Encryption
Key
> Manager server, which the library vendors are all too happy to
> sell me. Is anyone actually doing this? Did you find a suitable
> open source solution, or am I most likely limited to the vendor's
> offerings?
Another option is to control ancryption and transfer the secret key
via
SCSI commands. In this way the encryption is controlled by the backup
application and not by the library.
Note that I do not use the things outlined below in production! I only
tried some tests when I heard of it...
Bareos <www.bareos.org>, "a 100% open source fork of the backup
project
from bacula.org", implements this. And it also provides a standalone
command-line tool called bscrypto. I tested this and I could
enable/disable compression and transfer the key. When I encrypted a
tape
and removed the key, the linux kernel gave me an error message that it
couldn't decrypt the tape. So I suppose that it works.
You could use bscrypto to enable encryption and then start amdump etc.
A remaining problem is that when the tape drive suddenly resets it
falls
back to unencrypted mode and amanda does not detect this. So it would
be
better to integrate the encryption stuff in amanda, but this is beyond
my skills...
Sven
Thanks Sven. I'll have to check that out!
--Marcus
