StoreEver Tape Storage

Hardware Encryption using HPE LTO8 Standalone tape drives

 
DoJu
Advisor

Hardware Encryption using HPE LTO8 Standalone tape drives

Hi All,

Can someone advise how hardware encryption / key management works on standalone HPE LTO tape drives?

I note plenty of HPE documentation on “Encryption technology for HPE StoreEver LTO Ultrium Tape Drives”  but nothing on Key Management to do so when it comes to stand-alone HPE tape drives.

Our Backup Software (ARCSERVE) detects hardware encryption capability on the standalone tape drive and enables and encrypts the backup.

Information           28/04/2022 06:05:47 PM 5198     3        Hardware encryption enabled on session 3 1Information         28/04/2022 06:00:57 PM 5198     3        Tape Engine Encryption Enabled.

Overview of how encryption works in a stand-alone HPE StoreEver LTO Ultrium Tape Drive

HPE StoreEver LTO Ultrium Tape Drive encryption is specified as part of the LTO-4 and later open standard format with the Advanced Encryption Standard—Galois/Counter Mode (AES-GCM) algorithm implemented in the tape drive formatter electronics. The implementation supports the Institute of Electrical and Electronics Engineers (IEEE) P1 619.1 standard for tape-based encryption and the T10 SCSI command set.

Encryption technology for HP StoreEver LTO Ultrium Tape Drives (LTO-4, LTO-5, and LTO-6) – Technical white paper (US English) (meliusgroup.ru)

Appendix B shows the SPOUT Engineering Utity - showing a Server Key, where can this utility be obtained?

Thanks!

16 REPLIES 16
support_s
System Recommended

Query: Hardware Encryption using HPE LTO8 Standalone tape drives

System recommended content:

1. HPE XP8 Encryption User Guide (v08)

2. HPE StoreEver MSL Tape Libraries Encryption Key Server Configuration Guide

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

Cali
Honored Contributor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Ho DoJu,

in most cases, you simply add an Encryption Password to the Backup Software.

After setting, all Data that lands on the Tape is encrypted with this Password.

If the Tape Drive has an Encryption Chip (as Yours), it is done by Hardware, if not by the Backup Software.

Hardware is preferred as faster and can also use compression (on Tape Drive).

Additionally, you can set if the Password is stored in the Software (Backup Server) or not.

If stored, you can restore on this Backup Server without entering a password, if not you need every time a Password for Tape access.

If you need more Security, you can use a Secure Manager or a USB Stick in the Tape that gives a Token for every Tape.

Most time we use Hardware Encryption with stored Passwords, this gives safe for "Lost" Tapes.

See here: Administration Guide (arcserve.com)

Page 114-116

Arcserve® Backup for Windows Administration Guide

Cali


======================
I'm not an HPE employee, so I can be wrong.
DoJu
Advisor

Re: Query: Hardware Encryption using HPE LTO8 Standalone tape drives

Thanks for the information but i don't think the HPE XP8 supports standalone tape drives.

DoJu
Advisor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Hi Cali,

We have ARCSERVE and there are two options for encryption in a backup job:

1) Each backup session has a "Session/Encryption" password.
I believe this is the session encryption password to protect the data from being merged/restored without first providing the password.

It mentions "This password will be used for verification during restores. Data is always encrypted using a randomly generated key".

The above is misleading as I believe there is no data being encrypted. It should really be renamed "Session Password" as no encryption is performed on the data.

2) Encrypt data Option
If the Administrator selects the "Encrypt Data" checkbox, then selects "At backup Server during backup", ARCSERVE detects if the media (e.g. LTO8 tape drive/tape) supports hardware encryption and if so, it will utilise:

Information 27/04/2022 06:01:14 PM 5189 1 Hardware encryption enabled on session 1
Information 27/04/2022 06:01:13 PM 5189 1 Source Directory: E:\Data
Information 27/04/2022 06:00:50 PM 5189 1 Arcserve Backup Client Agent for Windows is r17.5, build 8021
Information  27/04/2022 06:00:49 PM 5189 1 Tape Engine Encryption Enabled.
Information 27/04/2022 06:00:49 PM 5189 1 Data Compression Enabled
Information 27/04/2022 06:00:46 PM 5189 1 Global Backup Method: Full.

However the issue is Key Management, HPE advised as its a standalone tape drive, hardware encryption cannot be used despite the above clearly showing hardware encryption enabled/used.

Curtis_Ballard
HPE Pro

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

I'm not an Arcserver customer and it has been a long time since I looked at it but my recollection is that Arcserve owns the encryption key and stores it in an Arcserve database so all of the key management is done by Arcserve.  With a quick search I found a picture that seems to show that in the Arcserve documentation.  Don't know if the link will come through but I'll try.

https://documentation.arcserve.com/Arcserve-Backup/Available/R16/ENU/Bookshelf_Files/HTML/admingde/index.htm?toc.htm?backup_manager_encryption_options.htm

I can tell you that anybody that says a standalone tape drive can't use hardware encryption is forgetting that there are two tape hardware encryption usage models.  Tape library managed LTO hardware encryption and software managed LTO hardware encryption.  Software that has implemented software managed LTO hardware encryption can use tape drives in a tape library or standalone tape drives and encrypt on either.  Only the tape library managed LTO hardware encryption can't be used with standalone tape drives.

HPE only sells tape library managed LTO hardware encryption but the LTO tape drives HPE sells will work with software managed LTO hardware encryption.


I work for HPE

Accept or Kudo

DoJu
Advisor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Hi Curtis,

RE: software managed LTO hardware encryption

ARCSERVE is only responsible for the Session / Encryption password, if it detects the hardware is encryption capable, it let's the tape drive itself perform the file encryption to LTO tape.

The issue is key management for stand alone tape drives when recovering files that have been encrypted by the tape drive itself.

HPE mention a SPOUT engineering tool, see page 18
https://www.hpe.com/psnow/doc/4aa5-2801enw?jumpid=in_lit-psnow-red

HPE advised “encryption .. this is from Backup Application. “

BUT

ARCSERVE advised there is no key management provided by their software as they ‘pass through’ to the hardware (via SPOUT commands to the Tape Drive ).

So the customer is left none-the-wiser.

 

Cali
Honored Contributor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Good Dokument, but I don't understand your problem.

Every LTO-4 Drive and later has a Hardware Encryption Chip (Stand-alone or Library).

If you set an Encryption Password (Pass Phrase) in ArcServe by "Encrypted Data Option", all Data on the Tape is now Encrypted.

This is, what do you like?

You don't need a Key Management (Internal or external) for this.

In the document above, it is named: Keys managed by ISV application but encryption is LTO hardware based

The only behavior is, that all Tapes are Encrypted with the same Password.

But normally, this is good enough.

Arcserve® Backup for Windows Administration Guide

Cali

 


======================
I'm not an HPE employee, so I can be wrong.
Curtis_Ballard
HPE Pro

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

From the online documentation it looks like Arcserve either uses a password or integrates with a KMIP key server.  If you are using a password then the password is your "key" and you are responsible for the key management.  Arcserve has a way that you can have it save your password in an ecrypted format in a database but you should still manage your passwords.  If you integrate with a KMIP key server then the key server manages the encryption keys.

It sounds like you are probably using a password.  The following is all I found on how passwords are used with a simple search of the Arcserve documentation.  It doesn't seems to very clearly describe how it uses hardware encryption.

"You can also create a session encryption password that is saved to the Arcserve Backup database. This password is used to encrypt session data. For more information about passwords, see the topic How Password Management Works."

From your earlier comments I suspect that Arcserve support was telling you that they just pass through the password you provide in the SPOUT command and the tape drive uses that password as the encryption key.


I work for HPE

Accept or Kudo

DoJu
Advisor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Hi Curtis,

I've read through the ARCSERVE docs extensively along with numerous HPE white papers. I have also logged tickets with both ARCSERVE and HPE.

The general consensus is:

  • HPE state hardware encryption is not possible with standalone tape drives.  check with ISV vendor
  • Arcserve state it does not provide any key when It detects the tape drive is capable of hardware compression. 

    Yet ARCSERVE logs show:

Information 26/04/2022 11:49:10 AM 5175 1 13,010 file(s) 38,936.09 MB sent by agent @ 2,885.21 MB/min
Information  26/04/2022 11:35:32 AM 5175 1 Hardware encryption enabled on session 1
Information 26/04/2022 11:34:50 AM 5175 1 Tape Engine Encryption Enabled.
Information 26/04/2022 11:34:50 AM 5175 1 Data Compression Enabled

ARCSERVE doc also mentions:

“You can also create a session encryption password that is saved to the Arcserve Backup database. This password is used to encrypt session data”

https://documentation.arcserve.com/Arcserve-Backup/Available/R17/ENU/Bookshelf_Files/HTML/admingde/index.htm?toc.htm?asbu_data_encryption.htm

ARCSERVE confuses the matter further, under Global Options in a backup job, as it has a option:

Session/Encryption Password

This password will be used for verfication during restores. Data is always encrypted using a randomly generated key.
Save Current Session/Encryption password in the ARCSERVE Database.

Encryption/Compression Methods

Encrypt Data (check box)
"At Backup Server during backup" - this means if ARCSERVE detects drive is hardware encryption capable, it will enable and use.