You can have 1 key per volume pool. So on 6.5.5 you can encrypt 2 pools.
You can have different encryption keys for each pool. So I have 2 different key tags depending on which pool the tape belongs to. In 7.0 you can have 20 pools, but again you can only have 1 active key per volume pool. Now if you want to change your key, you have those “levels” of a key. You take current key from active to inactive, and create a new active key for that pool. An inactive key can be used to decrypt a tape. So if you have a new active key you can still read the tapes made with the old key. Where a deprecated key will stay in the database if you want it, but you cannot use it to write or read a tape. You said: “in case if we don’t have encryption feature enabled at hardware on another site, is there any way to perform the restore. “ No – that is the whole point of encryption. You must have application managed encryption turned on at the other library ( this cost me nothing on my IBM TS3310) And YOU MUST have the SAME keys on the database at the other site. TEST TEST TEST - before you start doing all your tapes verify that you can tape a tape made here and be able to restore it at your other site. If you cannot read an encrypted tape at your DR site – then what is the point. You want to lock others out of reading your tapes, not yourself. The way to verify is when looking at your tapes and you see the encrypted key tag on the image. Your kms database at your other site must have an exact matching key tag. As kms is just a bunch of file…. You just copy that dir over to the other server. The only issue right now for me is 2 volume pools. I wanted 3, and had to put two groups of tapes into the same pool. When I upgrade to 7.x I will get to break that group out again and have 3 encrypted volume pools. From: Abhishek Dhingra1 [mailto:abhishek.dhin...@in.ibm.com] Sent: Tuesday, June 15, 2010 12:41 PM To: Judy Hinchcliffe Cc: veritas-bu@mailman.eng.auburn.edu Subject: Fw: [Veritas-bu] KMS encryption Thanks for the reply. Today i tried configuring the KMS on my master server(running on AIX). It worked perfectly fine, i took help from veritas support and according to them we can only keep one key in the key database, it will always use the same key for encrypting the data. Every time we need to change the encryption key , we need to define the new key and deactivate the one that is activated. Have you tried configuring more then one key at the same time. Moreover doing restore on another site , will require encryption license to be applied on the tape library at another site, in case if we dont have encryption feature enabled at hardware on another site, is there any way to perform the restore. Rgds A D Email : abhishek.dhin...@in.ibm.com ----- Forwarded by Abhishek Dhingra1/India/IBM on 06/15/2010 11:05 PM ----- <judy_hinchcli...@administaff.com> 06/15/2010 10:51 PM To Abhishek Dhingra1/India/i...@ibmin, <veritas-bu@mailman.eng.auburn.edu> cc Subject RE: [Veritas-bu] KMS encryption Yes, I recently started. It is one chapter in the Security and Encryption book, look for the book for the version you are running. In the 6.5 it is chapter 6. I have aix media servers so I cannot do MESO If I wanted to hardware encryption using my IBM library I would have to PAY IBM a lot of money Plus get the Tivoli key management system. Kms comes with NB. I just went to my library and turned on “Application Managed Encryption” Then I setup the kms database and made my volume pools NOTE: in 6.5.5 you can only use 2 encrypted volume pools. In 7.0 you can use 20. So now I am doing hardware encryption – that is where all the work is done on the tape drive – it also does my compression so no extra over head on my master or media. Read the chapter carefully – Make sure that the kms dir is not put on your catalog tape, and do no encrypt the catalog tape ( that’s like locking your keys in the car) I have two sites. I made my kms on one master, then just copied the database to the other master, this way I know all encrypted key tags match and I can read encrypted tapes at both sites. Once reading the chapter I saw how easy it really was. Just make sure you document you password strings and keep them in a secure place – not in just any file on disk where someone else could find them. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Abhishek Dhingra1 Sent: Tuesday, June 15, 2010 12:10 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] KMS encryption Hi,, Has anyone ever used Netbackup 6.5 internal KMS encryption feature. Pls share the documents link of KMS and also wanted to know merits and demerits of using KMS encryption. Hope some one have used KMS and could help me. Rgds A D Email : abhishek.dhin...@in.ibm.com
_______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
