Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
• Disaster recovery is not supported with encrypted backups. Therefore you must not encrypt backups used for Disaster Recovery restore This is true only if you do not replicate the keys. With library KMS you must have a replicated KMS and with netbackup KMS you have to replicate or backup the keys (unencrypted backup) stefanos -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of John Berchmans Sent: Tuesday, November 29, 2011 7:55 PM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU; JeffLightner Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Please read some of the limitations of encrypting backups using software or drive based encryption: == Limitations of using software-based encryption: • Disaster recovery is not supported with encrypted backups. Therefore you must not encrypt backups used for Disaster Recovery restore. Limitations of using drive-based encryption: • Drive-based decryption may not work if the encryption metadata values on the tape medium are tampered. • If for eg the LTO-4 tape drive is connected through a Network Storage Router (NSR), then encryption is supported only if the router firmware supports encryption related SCSI commands. Other factors: - Suppose you choose both software-based and drive-based encryption on the same host, its possible there could be only one key file used for both. - For security reasons, it may not be possible to delete a key. It is only possible to deactivate a key. - Enabling software-based encryption reduces the effectiveness of drive-based compression. - Backed up data cannot be restored if all encryption keys used during backup sessions are not available. - Since encrypted backup sessions are CPU intensive and time consuming. It will affect the over all contingency plan,in case of disaster and if you had to recover the data. --- On Tue, 11/29/11, Lightner, Jeff jlight...@water.com wrote: From: Lightner, Jeff jlight...@water.com Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Date: Tuesday, November 29, 2011, 8:17 PM Additionally for Linux/UNIX at least the format written on tape is using a modified version of GNU Tar so one could get the raw data using GNU Tar or even dd so you don't even need NetBackup's import capability. Someone attempting to steal data does NOT limit themselves to restoring to the same filesystem/directories or even file names. This is why people typically wipe disk drives before discarding them. On the flip side whether you need to encrypt the data is dependent on what happens to the tapes and how comfortable you feel with it. e.g. if they're stored in a safe on your site then the likelihood the physical media will be compromised is low. If you're sending them offsite the likelihood increases although folks like Iron Mountain have their own security procedures to deal with custody of tapes. Additionally they're may be other mitigating factors (e.g. your database management system encrypts data itself so that encryption of a database backup might be duplicated effort.) Finally you have to measure the desire for encryption against keeping track of keys used for encryption permanently (and of course keeping such keys secure). -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Justin Piszcz Sent: Tuesday, November 29, 2011 4:01 AM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Hi, Not true, you can bpimport the tape, its two phases (with NBU) and takes 2-4 hours per tape, this re-creates the catalog data from the tape media itself. Read more here: http://www.symantec.com/business/support/index?page=contentid=TECH43584 Justin. -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of novice123 Sent: Tuesday, November 29, 2011 1:59 AM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Dear All, During a risk assessment exercise, I realized that my backup admin does not encrypt data in backup tapes. He argues, it is not required as an adversary cannot recover/read data from the backup tape, assuming its stolen, if he does not have the corresponding catalog. He further adds that catalog is kept secure. We are using Veritas netbackup 6.5. I am unfamiliar with the technology, hence would want to know the following: a) If catalogs are secure, why should the software have a feature for encrypting data in the backup tape? b) If the argument is invalid, how can an adversary read/recover the data
Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
On 11/30/2011 11:02 AM, smpt wrote: • Disaster recovery is not supported with encrypted backups. Therefore you must not encrypt backups used for Disaster Recovery restore This is true only if you do not replicate the keys. With library KMS you must have a replicated KMS and with netbackup KMS you have to replicate or backup the keys (unencrypted backup) The NBU KMS db is small and static (Only changes when you run the kms commands to move keys through lifecycle stages, or add new keys). This is easy to keep synchronized with your recovery master server provided you have network connectivity. If you need to do tape transport only to your recovery site, you may need to devise another way to have the keys available for personnel to enter. You need to know the keygroup names, the passphrase that generates the key and the key tag, and you can re-enter them into KMS on the bare install master before starting the catalog recovery. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
Hi, Not true, you can bpimport the tape, its two phases (with NBU) and takes 2-4 hours per tape, this re-creates the catalog data from the tape media itself. Read more here: http://www.symantec.com/business/support/index?page=contentid=TECH43584 Justin. -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of novice123 Sent: Tuesday, November 29, 2011 1:59 AM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Dear All, During a risk assessment exercise, I realized that my backup admin does not encrypt data in backup tapes. He argues, it is not required as an adversary cannot recover/read data from the backup tape, assuming its stolen, if he does not have the corresponding catalog. He further adds that catalog is kept secure. We are using Veritas netbackup 6.5. I am unfamiliar with the technology, hence would want to know the following: a) If catalogs are secure, why should the software have a feature for encrypting data in the backup tape? b) If the argument is invalid, how can an adversary read/recover the data from the stolen backup tapes, even if he does not have the catalog. Please help in articulating the risk. Any help in this regard is appreciated. Thanks in anticipation +-- |This was sent by sanjay.nefari...@gmail.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
Additionally for Linux/UNIX at least the format written on tape is using a modified version of GNU Tar so one could get the raw data using GNU Tar or even dd so you don't even need NetBackup's import capability. Someone attempting to steal data does NOT limit themselves to restoring to the same filesystem/directories or even file names. This is why people typically wipe disk drives before discarding them. On the flip side whether you need to encrypt the data is dependent on what happens to the tapes and how comfortable you feel with it. e.g. if they're stored in a safe on your site then the likelihood the physical media will be compromised is low. If you're sending them offsite the likelihood increases although folks like Iron Mountain have their own security procedures to deal with custody of tapes. Additionally they're may be other mitigating factors (e.g. your database management system encrypts data itself so that encryption of a database backup might be duplicated effort.) Finally you have to measure the desire for encryption against keeping track of keys used for encryption permanently (and of course keeping such keys secure). -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Justin Piszcz Sent: Tuesday, November 29, 2011 4:01 AM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Hi, Not true, you can bpimport the tape, its two phases (with NBU) and takes 2-4 hours per tape, this re-creates the catalog data from the tape media itself. Read more here: http://www.symantec.com/business/support/index?page=contentid=TECH43584 Justin. -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of novice123 Sent: Tuesday, November 29, 2011 1:59 AM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Dear All, During a risk assessment exercise, I realized that my backup admin does not encrypt data in backup tapes. He argues, it is not required as an adversary cannot recover/read data from the backup tape, assuming its stolen, if he does not have the corresponding catalog. He further adds that catalog is kept secure. We are using Veritas netbackup 6.5. I am unfamiliar with the technology, hence would want to know the following: a) If catalogs are secure, why should the software have a feature for encrypting data in the backup tape? b) If the argument is invalid, how can an adversary read/recover the data from the stolen backup tapes, even if he does not have the catalog. Please help in articulating the risk. Any help in this regard is appreciated. Thanks in anticipation +-- |This was sent by sanjay.nefari...@gmail.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
Please read some of the limitations of encrypting backups using software or drive based encryption: == Limitations of using software-based encryption: • Disaster recovery is not supported with encrypted backups. Therefore you must not encrypt backups used for Disaster Recovery restore. Limitations of using drive-based encryption: • Drive-based decryption may not work if the encryption metadata values on the tape medium are tampered. • If for eg the LTO-4 tape drive is connected through a Network Storage Router (NSR), then encryption is supported only if the router firmware supports encryption related SCSI commands. Other factors: - Suppose you choose both software-based and drive-based encryption on the same host, its possible there could be only one key file used for both. - For security reasons, it may not be possible to delete a key. It is only possible to deactivate a key. - Enabling software-based encryption reduces the effectiveness of drive-based compression. - Backed up data cannot be restored if all encryption keys used during backup sessions are not available. - Since encrypted backup sessions are CPU intensive and time consuming. It will affect the over all contingency plan,in case of disaster and if you had to recover the data. --- On Tue, 11/29/11, Lightner, Jeff jlight...@water.com wrote: From: Lightner, Jeff jlight...@water.com Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Date: Tuesday, November 29, 2011, 8:17 PM Additionally for Linux/UNIX at least the format written on tape is using a modified version of GNU Tar so one could get the raw data using GNU Tar or even dd so you don't even need NetBackup's import capability. Someone attempting to steal data does NOT limit themselves to restoring to the same filesystem/directories or even file names. This is why people typically wipe disk drives before discarding them. On the flip side whether you need to encrypt the data is dependent on what happens to the tapes and how comfortable you feel with it. e.g. if they're stored in a safe on your site then the likelihood the physical media will be compromised is low. If you're sending them offsite the likelihood increases although folks like Iron Mountain have their own security procedures to deal with custody of tapes. Additionally they're may be other mitigating factors (e.g. your database management system encrypts data itself so that encryption of a database backup might be duplicated effort.) Finally you have to measure the desire for encryption against keeping track of keys used for encryption permanently (and of course keeping such keys secure). -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Justin Piszcz Sent: Tuesday, November 29, 2011 4:01 AM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Hi, Not true, you can bpimport the tape, its two phases (with NBU) and takes 2-4 hours per tape, this re-creates the catalog data from the tape media itself. Read more here: http://www.symantec.com/business/support/index?page=contentid=TECH43584 Justin. -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of novice123 Sent: Tuesday, November 29, 2011 1:59 AM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Dear All, During a risk assessment exercise, I realized that my backup admin does not encrypt data in backup tapes. He argues, it is not required as an adversary cannot recover/read data from the backup tape, assuming its stolen, if he does not have the corresponding catalog. He further adds that catalog is kept secure. We are using Veritas netbackup 6.5. I am unfamiliar with the technology, hence would want to know the following: a) If catalogs are secure, why should the software have a feature for encrypting data in the backup tape? b) If the argument is invalid, how can an adversary read/recover the data from the stolen backup tapes, even if he does not have the catalog. Please help in articulating the risk. Any help in this regard is appreciated. Thanks in anticipation +-- |This was sent by sanjay.nefari...@gmail.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
Dear Sanjay Nefarious, I understand why you've used novice123 and not said who you work for, (and it's not on the profile you put on backup central) but I thought I'd use your name that came through. Whilst this list is incredibly helpful, but maybe we shouldn't risk putting too much information up as it can help hackers? I'm not one for security by obscurity, but it seems silly to shoot yourself in the foot when your email is clearly about articulating the risk. As it's a security matter for your company, perhaps you could also speak to Symantec. Especially as adding encryption has significant design and cost impacts. Robyn -- Robyn Hirano Rodd Consulting Pty Ltd M: +61 412 352 725 E: robyn.hir...@roddconsulting.com.au -Original Message- From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of novice123 Sent: Tuesday, 29 November 2011 5:59 PM To: VERITAS-BU@MAILMAN.ENG.AUBURN.EDU Subject: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape Dear All, During a risk assessment exercise, I realized that my backup admin does not encrypt data in backup tapes. He argues, it is not required as an adversary cannot recover/read data from the backup tape, assuming its stolen, if he does not have the corresponding catalog. He further adds that catalog is kept secure. We are using Veritas netbackup 6.5. I am unfamiliar with the technology, hence would want to know the following: a) If catalogs are secure, why should the software have a feature for encrypting data in the backup tape? b) If the argument is invalid, how can an adversary read/recover the data from the stolen backup tapes, even if he does not have the catalog. Please help in articulating the risk. Any help in this regard is appreciated. Thanks in anticipation +-- |This was sent by sanjay.nefari...@gmail.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1411 / Virus Database: 2092/4045 - Release Date: 11/28/11 ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] veritas netbackup 6.5 encrypt backup tape
On 11/29/2011 12:59 AM, novice123 wrote: Dear All, During a risk assessment exercise, I realized that my backup admin does not encrypt data in backup tapes. He argues, it is not required as an adversary cannot recover/read data from the backup tape, assuming its stolen, if he does not have the corresponding catalog. He further adds that catalog is kept secure. We are using Veritas netbackup 6.5. I am unfamiliar with the technology, hence would want to know the following: a) If catalogs are secure, why should the software have a feature for encrypting data in the backup tape? You can always import images from a tape. Takes a while. Its also extractable even without NBU involved, esp if not multiplexed. This isn't true. I encrypt my backups AND catalogs. (Just make sure you have hard copy of KMS keys in the safe). LTO4 hardware encyption isn't too much of a performance hit for the piece of mind. b) If the argument is invalid, how can an adversary read/recover the data from the stolen backup tapes, even if he does not have the catalog. Please help in articulating the risk. mt to position to each file, then tar. or if you have NBU, import the tape. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
