Operating System - OpenVMS
1838767 Members
3295 Online
110130 Solutions
New Discussion

Re: VMS Backup encryption

 
SOLVED
Go to solution
Phil Jamieson
New Member

VMS Backup encryption

Does the encryption product alter ANSI labels of backup tapes? Does it do ANYTHING with Backup's normal label processing?
12 REPLIES 12
Anton van Ruitenbeek
Trusted Contributor

Re: VMS Backup encryption

Phil,

Which encryption product ?

AvR
NL: Meten is weten, maar je moet weten hoe te meten! - UK: Measuremets is knowledge, but you need to know how to measure !
Ian Miller.
Honored Contributor

Re: VMS Backup encryption

"Which encryption product ?"
There is a layered product called ENCRYPT from DEC/CPQ/HP which provides an encryption API and a facility for BACKUP to encrypt savesets.
Interestingly there is a kit for it on the VMS V8.2 CD.

From what I can see in the manaual from the kit only the savesets are encrypted.
____________________
Purely Personal Opinion
Phil Jamieson
New Member

Re: VMS Backup encryption

The encryption product I'm thinking of is the one that enables encrypted savesets. I gather it's called Data Encryption Facility. It's gotten to via BACKUP/ENC

Just wondering how it works with ANSI labels on tapes.
Eberhard Wacker
Valued Contributor
Solution

Re: VMS Backup encryption

Hi, the product is called "Encryption for OpenVMS" and the latest version is 1.6 from 2001. The contents of the saveset (the file copies and the file information) are encrypted not the saveset file itself. The saveset file is standard RMS and so also label processing is standard VMS.
Cheers,
Eberhard
Ian Miller.
Honored Contributor

Re: VMS Backup encryption

Phil, thats the one and V1.6 is on the VMS V8.2 CDs. I'm not sure what the licencing of this product is now i.e. do you have to buy another licence.
____________________
Purely Personal Opinion
Phil Jamieson
New Member

Re: VMS Backup encryption

That about does it then. Thanks for the info.

Phil Jamieson
Software Partners, Inc.
Tom O'Toole
Respected Contributor

Re: VMS Backup encryption

Does anybody have a good solution to the following? -- encryption of data kills compressibility of the data.

It would be OK to compress first, but that

1) uses significant cpu cycles
2) makes backup/restore a two step process
3) wastes the hardware compression of available tape drives

If backup had a both /encrypt and /compress qualifiers, it would at least take care of 2) (obviously compress and encrypt would have to be done in the correct order).

What would be ideal is the encryption to be done within the tape drive, after the compression. Tape libraries could be equipped with smart cards. The drive would be designed to do the compress, then the encription (and vice versa on restore).

Does anybody know if such a device exists or is in the works?
Can you imagine if we used PCs to manage our enterprise systems? ... oops.
Steven Schweda
Honored Contributor

Re: VMS Backup encryption

> Does anybody have a good solution to the
> following? -- encryption of data kills
> compressibility of the data.

I can't speak for all encryption schemes, but
old (2.6.2) PGP documentation says:

Note that PGP attempts to compress the
plaintext before encrypting it.

If compression is built into the encryption
(so the CPU time is already wasted), where's
the problem?

Re-phrased: If encryption kills compressibility
by compressing, ...
Tom O'Toole
Respected Contributor

Re: VMS Backup encryption

Steven,

Yes, absolutely, that's great if backup/encrypt, of particular interest here, does some compression of the data. Anybody know if this is the case?

As encrypted tapes become the rule rather than the exception, should compression capability be taken out of tape drives, and the price lowered commensurately, if it's not going to be used effectively?

Can you imagine if we used PCs to manage our enterprise systems? ... oops.
Guy Peleg
Respected Contributor

Re: VMS Backup encryption

BACKUP/ENCRYPT encrypts all the saveset
records other than the header.
In the saveset header - only the command
typed by the user is encrypted, the rest of
the header is not encrypted.

BACKAP/ENCRYPT does not compress the data,
backup sends the encrypt facility 16 bytes
buffers for encryption and encrypt is
returning 16 bytes worth of encrypted data
so no comression.

Up until V8.2 BACKUP only support DES
encryption which is expensive (performance
wise). With the next version of the O/S
BACKUP will support AES encryption which is much stronger encryption and very cheap performance wise.

Also note that starting with V8.2 the
encrypt product is covered by the base O/S
license so no separate PAK is required.

As for data compression in BACKUP - this is
on the list and may show up in the near
future (however no promise).

fwiw,

Guy Peleg
OpenVMS Engineering

Guy Peleg
Respected Contributor

Re: VMS Backup encryption

oh...and to answer the question that
triggered this discussion - the label
of the tape does not change (not encrypted).

Guy
Tom O'Toole
Respected Contributor

Re: VMS Backup encryption

Guy,

This sounds a great. I have run some (very rough, to the null device) backup performance tests on 8.2 (both alpha and itanium and the results are similar). The DES encryption seems to require significant additional resources, almost certainly enough to prevent a modern tape drive from streaming. The new version sounds like just what the doctor ordered, in terms of backup performance, and strength of encryption.

A certain amount of compression is also a nice to have, but not as critical. Thanks!
Can you imagine if we used PCs to manage our enterprise systems? ... oops.