Hello Rongsheng, I think there may also be a 4th option, though potentially more expensive than an appliance solution if you don't already have the hardware-
IF you have LTO4 at your primary site and you either have (or don't need) LTO4 read capability at your offsite: You could create a policy that calls on a vault profile that duplicates the tape using hardware based encryption. The caveat here is you would need to worry about EKM (Encryption Key Management) and the fact that encrypted data doesn't compress quite the same as unencrypted data. This could lead to slightly increased tape utilization. FWIW: We are not currently using LTO4. We tested software based encryption and found the system overhead and tape utilization prohibitive. We wound up with an appliance based solution that is actually quite fast, but short of getting off tape all together, I'm looking forward to LTO4. -Kent ------------------------------ Message: 18 Date: Tue, 11 Nov 2008 11:52:07 -0600 From: "Ed Wilts" <[EMAIL PROTECTED]> Subject: Re: [Veritas-bu] Encrypting offsite tapes To: "Rongsheng Fang" <[EMAIL PROTECTED]> Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" You have 3 separate options: 1. Client-based encryption. Free with 6.5 (and you may be able to get free licenses for 6.0 if you're under maintenance). Adds a load to each and every client. From what I've heard, it's not pretty. 2. Media-server based encryption. Puts the load on the media servers instead. 3. Encryption appliance. Not cheap, but they encrypt at wire speed while writing to the tape drives. Decru, now owned by NetApp, is the current market leader. Brocade is also now partnering with NetApp to build the next generation - basically a Decru encryption appliance built into a 32-port Brocade switch. Not even close to cheap :-) We chose option 3 and have Decru appliances in front of all our tape drives. Everything that's written to tape is automatically encrypted - we don't need to think about it. NetBackup doesn't even know the data is encrypted and doesn't care. http://www.netapp.com/us/products/storage-security-systems/ On Tue, Nov 11, 2008 at 11:32 AM, Rongsheng Fang <[EMAIL PROTECTED]>wrote: > We duplicate backup images from disks/tapes to tapes weekly using > NetBackup vault and send the tapes offsite. We have a new requirement > for encrypting all the tapes going offsite. I understand that > NetBackup can do the encryption while the backup is being done. My > question is: is it possible to encrypt the images during the vault > process (or the duplication process of the vault)? How do you > implement the encryption in your backup environments? > > Our environment: NetBackup Enterprise 6.0MP4 on Solaris 10 > > Thanks, > > Rongsheng > .../Ed Kent Eagle MTS Infrastructure Engineer II, MCP, MCSE Tech Services / SMSS Visit our website at www.wilmingtontrust.com Investment products are not insured by the FDIC or any other governmental agency, are not deposits of or other obligations of or guaranteed by Wilmington Trust or any other bank or entity, and are subject to risks, including a possible loss of the principal amount invested. This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. _______________________________________________ Veritas-bu maillist - [email protected] http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
