[Veritas-bu] Tape encryption
Key management for NetBackup encryption has historically been rough; also, you will loose drive level compression. New encryption appliances will allow for compression and simplified key management. Wes ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
The Decru encryption appliances definitely compress and I'd be really surprised if the NeoScale ones didn't. And you don't actually lose drive level compression - it remains enabled and compresses away the padding on the tail end of the encrypted data set (admittedly not much). The encryption and compression is done by the same processor in the Decru appliance but the last tape block needs to be padded in the data stream. I do not believe that the Decru compression/encryption takes up any more tape space than the original unencrypted data compressed by the tape drive. ./Ed -- Ed Wilts, RHCE, BCFP, BCSD Mounds View, MN, USA mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johnson, Wesley Sent: Thursday, September 20, 2007 1:04 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Key management for NetBackup encryption has historically been rough; also, you will loose drive level compression. New encryption appliances will allow for compression and simplified key management. Wes ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
Anybody any experience of Spectralogic's library-based encryption? We are about to start out no implementing this - basically the encryption, and optionally compression, is carried out in the fibre cards in the library. We will be using LTO2 and LTO3 drives. I have some concerns around impact on performance and media usage especially with having to move the compression from the tape drives to the library, and 101 questions for the supplier around key management processes procedures. Doesn't seem as good as the Decru option, for one thing Decru as I understand it is NetBackup-aware; I don't think Spectralogic is, so we have to partition the library if we don't want to encrypt everything. regards, Phil Phil Weber Storage Technical Services - Senior UNIX Technologist Business Technology Phone: 01384 26 4136 Egg Banking plc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cruice, Daniel (US - Glen Mills) Sent: 05 September 2007 21:33 To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. - Egg is a trading name of the Egg group of companies which includes: Egg Financial Intermediation Ltd (reg no 3828289) and Egg Banking plc (reg no 2999842). Egg Banking plc and Egg Financial Intermediation Ltd are authorised and regulated by the Financial Services Authority (FSA) and are entered in the FSA register under numbers 205621 and 309551 respectively. These members of the Egg group are registered in England and Wales. Registered office: Citigroup Centre, Canada Square, London E14 5LB. This e-mail is confidential and for use by the addressee only. If you are not the intended recipient of this e-mail and have received it in error, please return the message to the sender by replying to it and then delete it from your mailbox. Internet e-mails are not necessarily secure. The Egg group of companies do not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by the Egg group of companies in this regard and the recipient should carry out such virus and other checks as it considers appropriate. This communication does not create or modify any contract. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
Does anyone have any experience with the NeoScale Cryptostore FC appliances? Or did anyone compare the decru vs. NeoScale solutions? ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
I recently evaluated the Veritas MSEO product, and was very impressed. The version I received only ran on Solaris/Sparc and Windows. I tested the Solaris version. It creates a software based encryption device instead of /dev/rmt/0cbn and the encryption and compression are activated with some xml strings in the policy keyword. Data that is first staged to disk is not encrypted, since the encrypting device is the /dev entry for the solaris tape drive. The work of encryption is handled in software, and I noticed a significant increase in CPU load during a single and multiplexed backup. Restoring encrypted data also created a load on the media server, but it was not overloaded. I have not received confirmation from Veritas, but with this device in place I believe hardware compression is disabled, and you can enable software compression when you specify a compression level in the policy keyword. The documentation is not specific on this subject. If you need to encrypt data that is already written to media, you can modify the policy keyword in the backup image, then duplicate the image to the media server that has MSEO installed. For users who need to encrypt existing archives or migrate old data to new encrypted media formats, this would be a workable but time consuming method. Just script it and let the computer do all the work. The product, as I was told, is licensed by media server. In our environment, we could create a policy that disk staged all the off site data, then slowly wrote it to encrypted media over the next day or two in preparation for off site delivery. You would need to size your media server appropriately, since this is a processor intense operation. The test environment I used only has LTO-1 drives, and I was unable to get maximum speeds out of the drive while encryption and compression were enabled. The Netbackup engineers I spoke with said this feature is likely to be better integrated into future NBU versions, which will make implementation and activation a much cleaner process. The keys are stored as files in a directory under /opt, and the documentation explains how to protect this properly so you can restore your data later. The key files I had were ascii files that contained an RSA key hash, which can be written to cd and locked away. The key directory was about 20kb. Like many other Veritas products, this is not dependent on any one platform and media type. You can use it to encrypt your LTO-3 tapes, as well as your DDS-1, if you wanted. -Jon Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
Yes we did a bake off between Decru and Neoscale and Decru won handily. More mature and more support for the Unix O/S. ( Neoscale did not support HP/UX at the time). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Hillebrand Sent: Friday, September 07, 2007 10:04 AM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Does anyone have any experience with the NeoScale Cryptostore FC appliances? Or did anyone compare the decru vs. NeoScale solutions? The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email, you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse or copying or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message.___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
Curious - you say you backup the keys - do you store those backups offsite and if so is that in a different location than the regular backups? It seems it would be important to not keep the backup of keys with the encrypted backups but that this might cause you issues for DR. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts Sent: Wednesday, September 05, 2007 9:17 PM To: 'Cruice, Daniel (US - Glen Mills)' Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Unless all of your clients are really, really tiny, you're not going to want to look at software encryption so you really have 2 options - Decru and Neoscale appliances. We've been happy with our Decru FC520 appliances front-ending our 8 LTO-3 drives (spread across 2 data centers). We don't actually get any degradation - in some cases, we've actually seen performance *improvements*. A single FC520 will support 2-3 LTO-3 drives but there are larger models (the FC1020) and there are rumors of 4Gbps faster versions coming out this year. Since each FC520 has a single 2Gbps interface for input and another for output, you're limited to 200MB/sec in total throughput. Depending on how fast you drive your tape drives now will help you determine how many appliances you would need. I would guess that your 20 drives are spread over 2 fabrics and putting one FC1020 per fabric would probably suffice since they have 5 2Gbps ports in and 5 out for 10Gbps total throughput. These suckers encrypt and compress at wire speed. We haven't had any unresolvable issues with the appliances themselves. Key management isn't a problem at all - it's all handled by the appliances and can be backed up using their software. Our 3 appliances share the keys amongst themselves and also know that a single pre-defined NetBackup pool will write unencrypted data. By default, all of our NetBackup pools are encrypted - we have just a single clear-text pool just in case we have to send a customer a clear-text tape (we haven't had to do this yet). You only really need to worry about the special cards whenever the keys need to leave a box - either when you're replacing one (we haven't had one fail yet) or if you add another box to the cluster and want to share the keys (we did this recently). The rest of the time the special cards sit in lockboxes and safes. The Decru appliances do need to understand NetBackup but so long as the tape headers don't change, you won't have any issues. Just don't expect to use any old off-the-shelf software product some day and expect it to work out of the box without talking to Decru first. Once you see these suckers, you'll be impressed. You can even get them with a big red button on the front that automatically flushes the keys when pressed (for use in military environments when the bad guys are breaking down your door). From NetBackup's point of view, you don't need to do anything special at all. You unpresent all of your existing drives, present them to the encryption appliances, it presents new WWNs for the encrypted drives (they appear on the fabric as loop devices), and you tell NetBackup to use those. That's it. You don't need to worry about which tapes are encrypted and which aren't - the appliances handle all of that automatically and will read clear-text tapes transparently and when they're rewritten, will automatically encrypt the data. It just doesn't get any easier. .../Ed -- Ed Wilts, RHCE, BCFP, BCSD Mounds View, MN, USA mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cruice, Daniel (US - Glen Mills) Sent: Wednesday, September 05, 2007 3:33 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
The keys in a Decru box are not usable unless you authenticate the new system. This is done via a key quorum, where you say that n of y security officers (identified by a secure card, username, password) must be present to authenticate the box that's going to use the keys. Therefore, you can copy/store you keys right along your backups and not worry about that issue. --- W. Curtis Preston Backup Blog @ www.backupcentral.com VP Data Protection, GlassHouse Technologies From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: Thursday, September 06, 2007 6:44 AM To: Ed Wilts; Cruice, Daniel (US - Glen Mills) Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Curious - you say you backup the keys - do you store those backups offsite and if so is that in a different location than the regular backups? It seems it would be important to not keep the backup of keys with the encrypted backups but that this might cause you issues for DR. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts Sent: Wednesday, September 05, 2007 9:17 PM To: 'Cruice, Daniel (US - Glen Mills)' Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Unless all of your clients are really, really tiny, you're not going to want to look at software encryption so you really have 2 options - Decru and Neoscale appliances. We've been happy with our Decru FC520 appliances front-ending our 8 LTO-3 drives (spread across 2 data centers). We don't actually get any degradation - in some cases, we've actually seen performance *improvements*. A single FC520 will support 2-3 LTO-3 drives but there are larger models (the FC1020) and there are rumors of 4Gbps faster versions coming out this year. Since each FC520 has a single 2Gbps interface for input and another for output, you're limited to 200MB/sec in total throughput. Depending on how fast you drive your tape drives now will help you determine how many appliances you would need. I would guess that your 20 drives are spread over 2 fabrics and putting one FC1020 per fabric would probably suffice since they have 5 2Gbps ports in and 5 out for 10Gbps total throughput. These suckers encrypt and compress at wire speed. We haven't had any unresolvable issues with the appliances themselves. Key management isn't a problem at all - it's all handled by the appliances and can be backed up using their software. Our 3 appliances share the keys amongst themselves and also know that a single pre-defined NetBackup pool will write unencrypted data. By default, all of our NetBackup pools are encrypted - we have just a single clear-text pool just in case we have to send a customer a clear-text tape (we haven't had to do this yet). You only really need to worry about the special cards whenever the keys need to leave a box - either when you're replacing one (we haven't had one fail yet) or if you add another box to the cluster and want to share the keys (we did this recently). The rest of the time the special cards sit in lockboxes and safes. The Decru appliances do need to understand NetBackup but so long as the tape headers don't change, you won't have any issues. Just don't expect to use any old off-the-shelf software product some day and expect it to work out of the box without talking to Decru first. Once you see these suckers, you'll be impressed. You can even get them with a big red button on the front that automatically flushes the keys when pressed (for use in military environments when the bad guys are breaking down your door). From NetBackup's point of view, you don't need to do anything special at all. You unpresent all of your existing drives, present them to the encryption appliances, it presents new WWNs for the encrypted drives (they appear on the fabric as loop devices), and you tell NetBackup to use those. That's it. You don't need to worry about which tapes are encrypted and which aren't - the appliances handle all of that automatically and will read clear-text tapes transparently and when they're rewritten, will automatically encrypt the data. It just doesn't get any easier. .../Ed -- Ed Wilts, RHCE, BCFP, BCSD Mounds View, MN, USA mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cruice, Daniel (US - Glen Mills) Sent: Wednesday, September 05, 2007 3:33 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients
Re: [Veritas-bu] Tape encryption
We keep the keys, the tapes, and the recovery cards all in different places. Additionally, we have one of the FC520 appliances in a DR site that's a member of the cluster so it always has active keys anyway. ./Ed -- Ed Wilts, RHCE, BCFP, BCSD Mounds View, MN, USA mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: Thursday, September 06, 2007 8:44 AM To: Ed Wilts; Cruice, Daniel (US - Glen Mills) Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Curious - you say you backup the keys - do you store those backups offsite and if so is that in a different location than the regular backups? It seems it would be important to not keep the backup of keys with the encrypted backups but that this might cause you issues for DR. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts Sent: Wednesday, September 05, 2007 9:17 PM To: 'Cruice, Daniel (US - Glen Mills)' Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Unless all of your clients are really, really tiny, you're not going to want to look at software encryption so you really have 2 options - Decru and Neoscale appliances. We've been happy with our Decru FC520 appliances front-ending our 8 LTO-3 drives (spread across 2 data centers). We don't actually get any degradation - in some cases, we've actually seen performance *improvements*. A single FC520 will support 2-3 LTO-3 drives but there are larger models (the FC1020) and there are rumors of 4Gbps faster versions coming out this year. Since each FC520 has a single 2Gbps interface for input and another for output, you're limited to 200MB/sec in total throughput. Depending on how fast you drive your tape drives now will help you determine how many appliances you would need. I would guess that your 20 drives are spread over 2 fabrics and putting one FC1020 per fabric would probably suffice since they have 5 2Gbps ports in and 5 out for 10Gbps total throughput. These suckers encrypt and compress at wire speed. We haven't had any unresolvable issues with the appliances themselves. Key management isn't a problem at all - it's all handled by the appliances and can be backed up using their software. Our 3 appliances share the keys amongst themselves and also know that a single pre-defined NetBackup pool will write unencrypted data. By default, all of our NetBackup pools are encrypted - we have just a single clear-text pool just in case we have to send a customer a clear-text tape (we haven't had to do this yet). You only really need to worry about the special cards whenever the keys need to leave a box - either when you're replacing one (we haven't had one fail yet) or if you add another box to the cluster and want to share the keys (we did this recently). The rest of the time the special cards sit in lockboxes and safes. The Decru appliances do need to understand NetBackup but so long as the tape headers don't change, you won't have any issues. Just don't expect to use any old off-the-shelf software product some day and expect it to work out of the box without talking to Decru first. Once you see these suckers, you'll be impressed. You can even get them with a big red button on the front that automatically flushes the keys when pressed (for use in military environments when the bad guys are breaking down your door). From NetBackup's point of view, you don't need to do anything special at all. You unpresent all of your existing drives, present them to the encryption appliances, it presents new WWNs for the encrypted drives (they appear on the fabric as loop devices), and you tell NetBackup to use those. That's it. You don't need to worry about which tapes are encrypted and which aren't - the appliances handle all of that automatically and will read clear-text tapes transparently and when they're rewritten, will automatically encrypt the data. It just doesn't get any easier. ./Ed -- Ed Wilts, RHCE, BCFP, BCSD Mounds View, MN, USA mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cruice, Daniel (US - Glen Mills) Sent: Wednesday, September 05, 2007 3:33 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan ___ Veritas-bu maillist
[Veritas-bu] Tape encryption
Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
I was just looking for like a percentage 10%, 20%, degradation...and if meaning tape drive will not compress the encrypted data, if I am using LTO3, the best I'll get on tape is about 400GB at best. I need to figure out how many additional drives I may need to compensate the encryption so I can still get all the backups done with the window. Thanks Dan -Original Message- From: Austin Murphy [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 05, 2007 4:59 PM To: Cruice, Daniel (US - Glen Mills) Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption I don't know what you mean by tape degradation, but software encryption does have a significant effect. If you use the NetBackup encryption option, your tape drives will not compress the encrypted data. max speed of the backup will be limited by the CPU speed, not IO speed. You can also use the NetBackup compression option, but that slows the whole operation down even more. a lot more. If you use a Decru device or drive level compression, it will do compression at the same time. In either situation, key management is a big deal. Austin On 9/5/07, Cruice, Daniel (US - Glen Mills) [EMAIL PROTECTED] wrote: Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
I don't know what you mean by tape degradation, but software encryption does have a significant effect. If you use the NetBackup encryption option, your tape drives will not compress the encrypted data. max speed of the backup will be limited by the CPU speed, not IO speed. You can also use the NetBackup compression option, but that slows the whole operation down even more. a lot more. If you use a Decru device or drive level compression, it will do compression at the same time. In either situation, key management is a big deal. Austin On 9/5/07, Cruice, Daniel (US - Glen Mills) [EMAIL PROTECTED] wrote: Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
Unless all of your clients are really, really tiny, you're not going to want to look at software encryption so you really have 2 options - Decru and Neoscale appliances. We've been happy with our Decru FC520 appliances front-ending our 8 LTO-3 drives (spread across 2 data centers). We don't actually get any degradation - in some cases, we've actually seen performance *improvements*. A single FC520 will support 2-3 LTO-3 drives but there are larger models (the FC1020) and there are rumors of 4Gbps faster versions coming out this year. Since each FC520 has a single 2Gbps interface for input and another for output, you're limited to 200MB/sec in total throughput. Depending on how fast you drive your tape drives now will help you determine how many appliances you would need. I would guess that your 20 drives are spread over 2 fabrics and putting one FC1020 per fabric would probably suffice since they have 5 2Gbps ports in and 5 out for 10Gbps total throughput. These suckers encrypt and compress at wire speed. We haven't had any unresolvable issues with the appliances themselves. Key management isn't a problem at all - it's all handled by the appliances and can be backed up using their software. Our 3 appliances share the keys amongst themselves and also know that a single pre-defined NetBackup pool will write unencrypted data. By default, all of our NetBackup pools are encrypted - we have just a single clear-text pool just in case we have to send a customer a clear-text tape (we haven't had to do this yet). You only really need to worry about the special cards whenever the keys need to leave a box - either when you're replacing one (we haven't had one fail yet) or if you add another box to the cluster and want to share the keys (we did this recently). The rest of the time the special cards sit in lockboxes and safes. The Decru appliances do need to understand NetBackup but so long as the tape headers don't change, you won't have any issues. Just don't expect to use any old off-the-shelf software product some day and expect it to work out of the box without talking to Decru first. Once you see these suckers, you'll be impressed. You can even get them with a big red button on the front that automatically flushes the keys when pressed (for use in military environments when the bad guys are breaking down your door). From NetBackup's point of view, you don't need to do anything special at all. You unpresent all of your existing drives, present them to the encryption appliances, it presents new WWNs for the encrypted drives (they appear on the fabric as loop devices), and you tell NetBackup to use those. That's it. You don't need to worry about which tapes are encrypted and which aren't - the appliances handle all of that automatically and will read clear-text tapes transparently and when they're rewritten, will automatically encrypt the data. It just doesn't get any easier. ./Ed -- Ed Wilts, RHCE, BCFP, BCSD Mounds View, MN, USA mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cruice, Daniel (US - Glen Mills) Sent: Wednesday, September 05, 2007 3:33 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Tape encryption
Hello Dan, We have been working with netbackup client encryption and decru encryption. We use the netbackup encryption option without compression. So the tape drives (lto-2 and lto-3 could not compress). I believe that the netbackup client can also compress the data, but we have not tried this. We found with some of the intel based systems (windows and linux) with lots of spare cheap cpu power at the time the backups run, we did not see a slow down. But with Unix multi use boxes we see a slow down. With decru I believe that we saw a very small drop in thru-put compared with the backups without the decru. But this might be because without the decru box we tested fc tape drives attached to a netapp box. With the decru box we had the fibre connections running thru a fibre switch and the decru box. There a third option that we have not tried. The latest sun/stk and ibm tape drives will do the encryption. We have been told that the ibm lto-4 tape drive will compress the data then encrypt it. The compress with the lto-4 tape drive is turned off block by block if the block will grow in size with compression. Same as the earlier lto tape drives. You should not see any slow down with this option. len From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cruice, Daniel (US - Glen Mills) Sent: Wednesday, September 05, 2007 4:33 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu