HPE Community
Operating System - OpenVMS
1752826 Members
4228 Online
108789 Solutions
New Discussion юеВ

Re: Enabling LTO4 Hardware Encryption from OpenVMS ??

 
SOLVED
Go to solution
The Brit
Honored Contributor

тАО09-02-2010 06:03 AM

тАО09-02-2010 06:03 AM

Enabling LTO4 Hardware Encryption from OpenVMS ??

I guess the basic question is

Is it possible to use LTO4 hardware encryption without using using the LTO4 key management software. i.e. using some DCL command (or qualifier) to tell the LTO4 to use its hardware encryption (and a key supplied at runtime) on the data being backed up.???

Dave.
0 Kudos
Reply
5 REPLIES 5
The Brit
Honored Contributor

тАО09-02-2010 07:32 AM

тАО09-02-2010 07:32 AM

Re: Enabling LTO4 Hardware Encryption from OpenVMS ??

It looks like Data Protector does this, however for OpenVMS there is only a client.

As far as passing keys is concerned, I see many referenced to SPin and SPout (Security Protocol IN and Security Protocol OUT). SPout can be used to set a key on an LTO4 Tapedrive from what I understand.

Is there an OpenVMS equivalent to this??

If I choose to use the LTO4 Key Management Software, how do I interface with it from OpenVMS?? (or do I not need to??)

How can I confirm that my backup tapes are encrypted ??

Dave.

(So many Q's, and not many A's)
0 Kudos
Reply
David R. Lennon
Valued Contributor

тАО09-02-2010 06:14 PM

тАО09-02-2010 06:14 PM

Solution

Re: Enabling LTO4 Hardware Encryption from OpenVMS ??

Hi,
See here for the VMS program written to load keys into LTO4 drives:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1171171

We found it was easier, on the latest generation MSL libraries (MSL2024, MSL4048, etc) to just purchase the encryption kit option. This provides a usb fob that sticks on the back of the library and contains the keys. We then set the libary such that the drives are always in encrypted mode and then VMS doesn't have to care about managing it.

It would be necessary to use that program on a standalone (non-library) LTO4 drive. Especially since the drives lose the key when they are powered off, I would re-load it before each backup just to be sure. We did testing on a standalone drive with that program and it worked well.

- Dave
Reply
Eric Dittman
Frequent Advisor

тАО09-26-2010 04:04 PM

тАО09-26-2010 04:04 PM

Re: Enabling LTO4 Hardware Encryption from OpenVMS ??

David,

Does Tom's program work to set the same key on standalone drives as with the encryption kit?

I'm thinking about requirements to read the tapes at another site (such as a DR site) that isn't using an MSL tape library.
0 Kudos
Reply
David R. Lennon
Valued Contributor

тАО09-27-2010 06:50 AM

тАО09-27-2010 06:50 AM

Re: Enabling LTO4 Hardware Encryption from OpenVMS ??


We never tested if the same encryption key that is on the library usb fob can be loaded from VMS into a "standalone" LTO4 drive, such that the same tape can be readable.

I don't see why not, however - it's all just ones and zeros with computers, right?
0 Kudos
Reply
Hoff
Honored Contributor

тАО09-27-2010 07:36 AM

тАО09-27-2010 07:36 AM

Re: Enabling LTO4 Hardware Encryption from OpenVMS ??

The chances of remote access working without a full-path test and functional verification can be assumed to be somewhere between one and zero, and - without evidence to the contrary - zero is always assumed.

Put another way, there's even less of a chance I'd trust encryption without a periodic full-path verify, given this is heaped atop a complete lack of trust for whether a non-encrypted recovery will work.

Put another way, this is absolutely certain to fail.

Until you can prove it works.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.