Comments on: Tape Encryption Best Practices http://www.standalone-sysadmin.com/blog/2009/10/tape-encryption-best-practices/ A blog for IT Admins who do everything by an IT Admin who does everything Tue, 07 Sep 2010 20:41:25 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Preston de Guise http://www.standalone-sysadmin.com/blog/2009/10/tape-encryption-best-practices/comment-page-1/#comment-3406 Preston de Guise Tue, 06 Oct 2009 09:44:37 +0000 http://www.standalone-sysadmin.com/blog/?p=949#comment-3406 Each enterprise product offers different levels of support for hardware tape encryption. NetWorker for instance doesn't currently support key management for hardware tape encryption. However, so long as the key management is run outside of it (e.g., via the library or the OS), it will work without issue - i.e., the encryption is invisible to it and can be used. I have multiple customers already taking advantage of this. There are other encryption options - e.g., (formerly Neoscale) <a HREF="http://www.nu.co.za/node/262" rel="nofollow">Thales nCipher</A> provides black box (or more precisely red box) level encryption at the fibre-channel layer itself. The nCipher device for instance is able to cooperate with many enterprise backup products to allow multiple keys, allows per-volume encryption controls, etc. Each enterprise product offers different levels of support for hardware tape encryption.

NetWorker for instance doesn’t currently support key management for hardware tape encryption. However, so long as the key management is run outside of it (e.g., via the library or the OS), it will work without issue – i.e., the encryption is invisible to it and can be used. I have multiple customers already taking advantage of this.

There are other encryption options – e.g., (formerly Neoscale) Thales nCipher provides black box (or more precisely red box) level encryption at the fibre-channel layer itself. The nCipher device for instance is able to cooperate with many enterprise backup products to allow multiple keys, allows per-volume encryption controls, etc.

]]> By: pb http://www.standalone-sysadmin.com/blog/2009/10/tape-encryption-best-practices/comment-page-1/#comment-3404 pb Mon, 05 Oct 2009 12:41:03 +0000 http://www.standalone-sysadmin.com/blog/?p=949#comment-3404 I've been watching the same question on ServerFault, and I have pretty much the same opinion. I think it comes down to this: tape-level encryption just isn't a fantastic idea due to key management and potential recovery issues. I think that if critical *data* is encrypted, that's fine. But encrypt it before it hits the tape. Besides, you really need to keep tight physical controls on the tape in the first place that should be enough. Note: I've not read the HP paper, but will take a quick peek. Thanks for the link. I’ve been watching the same question on ServerFault, and I have pretty much the same opinion. I think it comes down to this: tape-level encryption just isn’t a fantastic idea due to key management and potential recovery issues.

I think that if critical *data* is encrypted, that’s fine. But encrypt it before it hits the tape. Besides, you really need to keep tight physical controls on the tape in the first place that should be enough.

Note: I’ve not read the HP paper, but will take a quick peek. Thanks for the link.

]]>