The keys in a Decru box are not usable unless you authenticate the new system. This is done via a key quorum, where you say that n of y security officers (identified by a secure card, username, & password) must be present to authenticate the box that's going to use the keys. Therefore, you can copy/store you keys right along your backups and not worry about that issue.
--- W. Curtis Preston Backup Blog @ www.backupcentral.com VP Data Protection, GlassHouse Technologies ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: Thursday, September 06, 2007 6:44 AM To: Ed Wilts; Cruice, Daniel (US - Glen Mills) Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Curious - you say you backup the keys - do you store those backups offsite and if so is that in a different location than the regular backups? It seems it would be important to not keep the backup of keys with the encrypted backups but that this might cause you issues for DR. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts Sent: Wednesday, September 05, 2007 9:17 PM To: 'Cruice, Daniel (US - Glen Mills)' Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Tape encryption Unless all of your clients are really, really tiny, you're not going to want to look at software encryption so you really have 2 options - Decru and Neoscale appliances. We've been happy with our Decru FC520 appliances front-ending our 8 LTO-3 drives (spread across 2 data centers). We don't actually get any degradation - in some cases, we've actually seen performance *improvements*. A single FC520 will support 2-3 LTO-3 drives but there are larger models (the FC1020) and there are rumors of 4Gbps faster versions coming out this year. Since each FC520 has a single 2Gbps interface for input and another for output, you're limited to 200MB/sec in total throughput. Depending on how fast you drive your tape drives now will help you determine how many appliances you would need. I would guess that your 20 drives are spread over 2 fabrics and putting one FC1020 per fabric would probably suffice since they have 5 2Gbps ports in and 5 out for 10Gbps total throughput. These suckers encrypt and compress at wire speed. We haven't had any unresolvable issues with the appliances themselves. Key management isn't a problem at all - it's all handled by the appliances and can be backed up using their software. Our 3 appliances share the keys amongst themselves and also know that a single pre-defined NetBackup pool will write unencrypted data. By default, all of our NetBackup pools are encrypted - we have just a single clear-text pool just in case we have to send a customer a clear-text tape (we haven't had to do this yet). You only really need to worry about the special cards whenever the keys need to leave a box - either when you're replacing one (we haven't had one fail yet) or if you add another box to the cluster and want to share the keys (we did this recently). The rest of the time the special cards sit in lockboxes and safes. The Decru appliances do need to understand NetBackup but so long as the tape headers don't change, you won't have any issues. Just don't expect to use any old off-the-shelf software product some day and expect it to work out of the box without talking to Decru first. Once you see these suckers, you'll be impressed. You can even get them with a big red button on the front that automatically flushes the keys when pressed (for use in military environments when the bad guys are breaking down your door). >From NetBackup's point of view, you don't need to do anything special at all. You unpresent all of your existing drives, present them to the encryption appliances, it presents new WWNs for the encrypted drives (they appear on the fabric as loop devices), and you tell NetBackup to use those. That's it. You don't need to worry about which tapes are encrypted and which aren't - the appliances handle all of that automatically and will read clear-text tapes transparently and when they're rewritten, will automatically encrypt the data. It just doesn't get any easier. .../Ed -- Ed Wilts, RHCE, BCFP, BCSD Mounds View, MN, USA mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cruice, Daniel (US - Glen Mills) Sent: Wednesday, September 05, 2007 3:33 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] Tape encryption Looking for some information regarding tape encryption, anyone out there using it? And if so what kind of tape degradation did you experience. We are being asked to implement it and we are just trying to figure out what we are going to need. Our environment is mixed with Windows and UNIX, all of our NBU servers are Windows (Master and Media) with a 20 drive LTO3 Library, over 900 clients. About 90% of our environment is running 6.0 MP4 and soon will be rolling out 6.5 w/ MP1. Any gotchas we need to be aware of. Thanks Dan
_______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
