I would recommend looking at a tape drive that has encryption build in. One example is the HP StorageWorks LTO-4 Ultrium 1840 Tape Drive. There is never a better time to ask for new hardware than when you are being requested to provide a solution to a legally mandated requirement.
One drawback is that this is a new very high performance drive, and you may have a hard time sending data to it fast enough to keep it from shoeshining. And without software to turn the encryption feature on, it will just be a latent capability.
There are many advantages to having the tape drive do the encryption. Besides offloading the necessary processing, it also does the compression prior to encryption, so the amount of media used for backups will not increase drastically. Remember that encrypted data appears random, and therefore does not effectively compress.
Have a look at
http://h18006.www1.hp.com/products/storageworks/lto4Encryp/index.htmlAccording to the compatibility chart, the drive is supported by both 8.2 and 8.3, but not by 7.3-2. That does not mean that you will be able to take advantage of the encryption capabilities, as the feature must be turned on, keys loaded, etc. That will require that the software being used to write to tape have the knowledge needed to communicate with an IEEE 1619.1 encrypting tape drive. I know nothing about what is planned for VMS BACKUP or Data Protector.
I was a bit surprised that the drive doesn't have any USB port on the front panel that would allow a "key" to be inserted into the drive. Whether such a device exists, I don't know. I do know that we have a MICR check printer that has a hardware key (I am not sure if it is USB or some proprietary hardware), but it is part of the "something you know and something you have" two part security.
There seems to be quite a bit of discussion about whether or not the encryption built into the LTO4 drive is "FIPS 170-2" compliant or not. Google for ( "IEEE 1619.1" "FIPS 140-2" )
http://www.google.com/search?hl=en&lr=&as_qdr=all&q=%22IEEE+1619.1%22+%22FIPS+140-2%22&btnG=SearchHP's description in their marketing brochure has the vague verbiage "has the potential to be part of wider data encryption solutions up to FIPS 140-2 level 2." But so does a notepad to keep documentation on.
Excerpt from
http://www.hpstoragemedia.com/files/english/sales_tools/storage_media_sales_tools/LTO4Brochure-EEE.pdf"HP's LTO4 Ultrium cartridges have the potential to be part of wider data encryption solutions up to FIPS 140-2 level 2. The media on its own incorporates AES-256 bit key encryption (the highest level of AES) capabilities to provide greater security. HP's implementation meets the current draft of IEEE 1619.1 tape encryption standard giving you peace of mind that if a tape goes missing, the data it contains cannot fall into the wrong hands."
it depends
