StoreEver Tape Storage
1748006 Members
4384 Online
108757 Solutions
New Discussion

Hardware Encryption using HPE LTO8 Standalone tape drives

 
DoJu
Frequent Advisor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Hi Cali,

The issue is where is the key stored in the case of recovery of data on a different tape drive or server?

Their documentation states the "Session / Encryption" password is stored in the ARCSERVE database.

What is not clear is if "Session / Encryption" password is TWO things:

1) Session Password for each backup session
2) Encryption Password (server key?) that is sent via SPOUT command to the hardware encryption supported tape drive / tape 

ARCSERVE doco clearly states:

https://documentation.arcserve.com/Arcserve-Backup/Available/R17/ENU/Bookshelf_Files/HTML/admingde/index.htm?toc.htm?asbu_data_encryption.htm

“You can also create a session encryption password that is saved to the Arcserve Backup database. This password is used to encrypt session data”

If you select to have your data encrypted during the backup or migration process, Arcserve Backup has the ability to detect if the final destination media (tape) is capable of hardware encryption and by default will automatically choose that hardware method if available.

Yet ARCSERVE Support state:

"Once you set the encryption password, as a backup session is submitted, the session encryption password is saved to the Arcserve Backup database in encrypted format using a random key and the Globally Unique Identifier (GUID) is saved as a binary value. During a restore session, the encrypted password is extracted from the Arcserve Backup database and decrypted. 

The restore session reads the Dummy Session Header from the Tape Engine and if server side encryption was used, the session GUID will be extracted from the Arcserve Backup database."

Only way I think to really find out what is going on is to enable DEBUG on the tape engine.

Curtis_Ballard
HPE Pro

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

If somebody from HPE told you that hardware encryption is not possible with standalone tape drives, I'm sorry but whoever said that was wrong.  I will let key people in the tape team know that there is some misinformation being shared.  I just confirmed that the HPE LTO-8 standalone drive user's guide discusses software managed encryption and that the application is responsible for the keys.

When software is managing the encryption there is very little HPE can do to provide help.  There is an encryption LED on the front of the drive but it isn't perfect.  It lights up if all the data on the tape is encrypted or if there is a header that isn't encrypted and the rest of the tape is encrypted but if an application writes some unecrypted data in the middle of the tape the light will go out but the drive might still be encrypting.  That is rare, I don't think Arcserve does that so you should see the encryption LED lit.

If you want to use the HPE Library and Tape Tools diagnostic tool to pull a support ticket from the drive when there is a tape in use then it is possible to tell that encryption is enabled.  I don't recall exactly how that is displayed but the LTT user's guide might say.

For security purposes there is very little encryption information reported out from the tape drive.


I work for HPE

Accept or Kudo

DoJu
Frequent Advisor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Hi Curtis,

Please refer to Case 5363402885, as quoted:

"As mentioned earlier since this is a Standalone External Tape Drive , hence we cannot use Hardware Encryption.

However you can check with your backup Software , on the Key location and where the key is stored. the key would have been provided by the backup application if it is a standalone tape drive. "

I work for a large Government Agency, and it has been a very long engagement with ISV (ARCSERVE) and HPE StoreEver to definitively ascertain if hardware encryptyion is working.

I believe ARCSERVE Session/Encryption password (Server Key) is being passed as SPOUT command to physical Tape Hardware and the IC's onboard perform encryption of files at hardware level.

ARCSERVE would like to talk with HPE engineers.

Thank you

 

Cali
Honored Contributor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Point 1, you can see in the GUI if your Tape does Support Hardware Encryption.
As far as I know, every LTO-4 and newer from every Vendor did have the Chip if Single Drive or Library.

Check it here: Can we use the hardware encryption with arcserve?

Point 2, as I wrote, you can Store the Password in the Backup Database or not.
If not, you need to enter the Password for every Restore.

See here: Arcserve Backup session password and encryption key management

The use of a KMS Server or USB Stick is Optional and a different (complex) thing.
Your provided document above explains this.

Cali

ACP IT Solutions AGI'm not an HPE employee, so I can be wrong.
DoJu
Frequent Advisor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Hi Curtis,

LTTReport returned:

Encryption/Decryption capability : Hardware encryption/decryption

Encryption key size : 32 bytes (256 bits)

Encrypted Data : Yes

Cartridge status and tape alert page:

EncryptedData 1

 

DoJu
Frequent Advisor

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

Thanks Cali,

Re: point 1

Correct, since LTO4 the tape drives have 'on board' ICs for hardware encryption, hence the non-degraded backup performance I have noted compared to 'At Agent' software based encryption.

Re: Point 2

ARCSERVE is vague in it's global configuration option "Session / Encryption" password.

No documentation on whether the SINGLE password represents two things:

1) the "Session" password used for each session e.g. C drive, D drive, E drive etc

2) the "Encryption" password is used for when "Encryption" checkbox is ticked, for "At Agent" this is software encryption, "at Backup Server", is hardware encryption (if tape drive/tape is encryption capable).  I can only assume ARCSERVE uses this password as a SPOUT command to tell the tape drive hardware to encrypt the files at the tape drive/tape hardware level.

Testing indicates it is BOTH 1 and 2, but there is no documentation from ARCSERVE about this configuration break-down of this critical component in this day and age.

Curtis_Ballard
HPE Pro

Re: Hardware Encryption using HPE LTO8 Standalone tape drives

I went and researched this using the case # information you provided.  I was able to locate the lab egineer that is supporting the agent.

Some of the confusion comes from a response from HPE support that was probably not as clear as it could have been.  The HPE support agent indicated that "we cannot use Hardware Encryption" but went on to say that a key could have been provided by the backup application.  What the support agent meant to convey was that the hardware "managed" encryption solutions sold and supported by HPE could not be used.  Software "managed" encryption was able to be used and that would be sold and supported by your backup application vendor.  The "managed" part was implied, not stated, and that was easily misinterpreted.

The LED on the front of the drive indicates that the drive is encrypting.  The L&TT support ticket information indicates that the tape contains encrypted data.  That is about all the information that HPE can provide on software managed encryption.  HPE can report that the software is enabling encryption, the drive is writing encrypted data, and that the data on the tape is encrypted.

You have to talk with your application vendor for any information about what encryption keys are used and how they are managed.

If you are able to use your password to read the tapes somewhere else then your application is somehow using the password either as the encryption key or to generate or lookup an encryption key. 

I saw some questions about an example in the HPE encryption white paper about an example showing a software tool loading an encryption key into the drive and the tool showed the key.  There was a question where that tool was for customers.  That tool was a test tool that is used to load specific encryption keys into the drive for testing purposes and was used as an example to show software loading a key into a drive.  Your application software performs that function in production.  Keys should never be exposed the way they are in that test tool and it is impossible for that test tool or any other to read encryption key information out of the drive.  Encryption keys are never stored on a tape, not even in an encrypted form.  The encryption keys are only used to generate media keys that are then used for writing data which is able to be read back with the original encryption key.  At most an encryption key label or name is able to be stored on the tape.  The application software either has to use external information such as a barcode or a password to lookup or generate an encryption key or it could store an encryption key label/name on the tape and read that then go lookup an encryption key.  To read encrypted data the encryption key has to be loaded into the drive from the application software.  When the drive reads data it takes the encryption key provided by the application and attempts to decode the data.  If the decode is successful then the drive returns the data, otherwise it returns an error.

Hopefully this information resolves your questions for HPE and I apologize for the response that was not as clear as it could have been.


I work for HPE

Accept or Kudo