Hardware Encryption using HPE LTO8 Standalone tape drives

System recommended content:

1. HPE XP8 Encryption User Guide (v08)

2. HPE StoreEver MSL Tape Libraries Encryption Key Server Configuration Guide

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

Thank you for being a HPE valuable community member.

Ho DoJu,

in most cases, you simply add an Encryption Password to the Backup Software.

After setting, all Data that lands on the Tape is encrypted with this Password.

If the Tape Drive has an Encryption Chip (as Yours), it is done by Hardware, if not by the Backup Software.

Hardware is preferred as faster and can also use compression (on Tape Drive).

Additionally, you can set if the Password is stored in the Software (Backup Server) or not.

If stored, you can restore on this Backup Server without entering a password, if not you need every time a Password for Tape access.

If you need more Security, you can use a Secure Manager or a USB Stick in the Tape that gives a Token for every Tape.

Most time we use Hardware Encryption with stored Passwords, this gives safe for "Lost" Tapes.

See here: Administration Guide (arcserve.com)

Page 114-116

Arcserve® Backup for Windows Administration Guide

Cali

I'm not an HPE employee, so I can be wrong.

Thanks for the information but i don't think the HPE XP8 supports standalone tape drives.

Hi Cali,

We have ARCSERVE and there are two options for encryption in a backup job:

1) Each backup session has a "Session/Encryption" password.
I believe this is the session encryption password to protect the data from being merged/restored without first providing the password.

It mentions "This password will be used for verification during restores. Data is always encrypted using a randomly generated key".

The above is misleading as I believe there is no data being encrypted. It should really be renamed "Session Password" as no encryption is performed on the data.

2) Encrypt data Option
If the Administrator selects the "Encrypt Data" checkbox, then selects "At backup Server during backup", ARCSERVE detects if the media (e.g. LTO8 tape drive/tape) supports hardware encryption and if so, it will utilise:

Information 27/04/2022 06:01:14 PM 5189 1 Hardware encryption enabled on session 1
Information 27/04/2022 06:01:13 PM 5189 1 Source Directory: E:\Data
Information 27/04/2022 06:00:50 PM 5189 1 Arcserve Backup Client Agent for Windows is r17.5, build 8021
Information  27/04/2022 06:00:49 PM 5189 1 Tape Engine Encryption Enabled.
Information 27/04/2022 06:00:49 PM 5189 1 Data Compression Enabled
Information 27/04/2022 06:00:46 PM 5189 1 Global Backup Method: Full.

However the issue is Key Management, HPE advised as its a standalone tape drive, hardware encryption cannot be used despite the above clearly showing hardware encryption enabled/used.

I'm not an Arcserver customer and it has been a long time since I looked at it but my recollection is that Arcserve owns the encryption key and stores it in an Arcserve database so all of the key management is done by Arcserve.  With a quick search I found a picture that seems to show that in the Arcserve documentation.  Don't know if the link will come through but I'll try.

https://documentation.arcserve.com/Arcserve-Backup/Available/R16/ENU/Bookshelf_Files/HTML/admingde/index.htm?toc.htm?backup_manager_encryption_options.htm

I can tell you that anybody that says a standalone tape drive can't use hardware encryption is forgetting that there are two tape hardware encryption usage models.  Tape library managed LTO hardware encryption and software managed LTO hardware encryption.  Software that has implemented software managed LTO hardware encryption can use tape drives in a tape library or standalone tape drives and encrypt on either.  Only the tape library managed LTO hardware encryption can't be used with standalone tape drives.

HPE only sells tape library managed LTO hardware encryption but the LTO tape drives HPE sells will work with software managed LTO hardware encryption.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Hi Curtis,

RE: software managed LTO hardware encryption

ARCSERVE is only responsible for the Session / Encryption password, if it detects the hardware is encryption capable, it let's the tape drive itself perform the file encryption to LTO tape.

The issue is key management for stand alone tape drives when recovering files that have been encrypted by the tape drive itself.

HPE mention a SPOUT engineering tool, see page 18
https://www.hpe.com/psnow/doc/4aa5-2801enw?jumpid=in_lit-psnow-red

HPE advised “encryption .. this is from Backup Application. “

BUT

ARCSERVE advised there is no key management provided by their software as they ‘pass through’ to the hardware (via SPOUT commands to the Tape Drive ).

So the customer is left none-the-wiser.

Good Dokument, but I don't understand your problem.

Every LTO-4 Drive and later has a Hardware Encryption Chip (Stand-alone or Library).

If you set an Encryption Password (Pass Phrase) in ArcServe by "Encrypted Data Option", all Data on the Tape is now Encrypted.

This is, what do you like?

You don't need a Key Management (Internal or external) for this.

In the document above, it is named: Keys managed by ISV application but encryption is LTO hardware based

The only behavior is, that all Tapes are Encrypted with the same Password.

But normally, this is good enough.

Arcserve® Backup for Windows Administration Guide

Cali

I'm not an HPE employee, so I can be wrong.

From the online documentation it looks like Arcserve either uses a password or integrates with a KMIP key server.  If you are using a password then the password is your "key" and you are responsible for the key management.  Arcserve has a way that you can have it save your password in an ecrypted format in a database but you should still manage your passwords.  If you integrate with a KMIP key server then the key server manages the encryption keys.

It sounds like you are probably using a password.  The following is all I found on how passwords are used with a simple search of the Arcserve documentation.  It doesn't seems to very clearly describe how it uses hardware encryption.

"You can also create a session encryption password that is saved to the Arcserve Backup database. This password is used to encrypt session data. For more information about passwords, see the topic How Password Management Works."

From your earlier comments I suspect that Arcserve support was telling you that they just pass through the password you provide in the SPOUT command and the tape drive uses that password as the encryption key.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Hi Curtis,

I've read through the ARCSERVE docs extensively along with numerous HPE white papers. I have also logged tickets with both ARCSERVE and HPE.

The general consensus is:

• HPE state hardware encryption is not possible with standalone tape drives.  check with ISV vendor
• Arcserve state it does not provide any key when It detects the tape drive is capable of hardware compression. 
  
  Yet ARCSERVE logs show:

Information 26/04/2022 11:49:10 AM 5175 1 13,010 file(s) 38,936.09 MB sent by agent @ 2,885.21 MB/min
Information  26/04/2022 11:35:32 AM 5175 1 Hardware encryption enabled on session 1
Information 26/04/2022 11:34:50 AM 5175 1 Tape Engine Encryption Enabled.
Information 26/04/2022 11:34:50 AM 5175 1 Data Compression Enabled

ARCSERVE doc also mentions:

“You can also create a session encryption password that is saved to the Arcserve Backup database. This password is used to encrypt session data”

https://documentation.arcserve.com/Arcserve-Backup/Available/R17/ENU/Bookshelf_Files/HTML/admingde/index.htm?toc.htm?asbu_data_encryption.htm

ARCSERVE confuses the matter further, under Global Options in a backup job, as it has a option:

Session/Encryption Password

This password will be used for verfication during restores. Data is always encrypted using a randomly generated key.
Save Current Session/Encryption password in the ARCSERVE Database.

Encryption/Compression Methods

Encrypt Data (check box)
"At Backup Server during backup" - this means if ARCSERVE detects drive is hardware encryption capable, it will enable and use.

Hi Cali,

The issue is where is the key stored in the case of recovery of data on a different tape drive or server?

Their documentation states the "Session / Encryption" password is stored in the ARCSERVE database.

What is not clear is if "Session / Encryption" password is TWO things:

1) Session Password for each backup session
2) Encryption Password (server key?) that is sent via SPOUT command to the hardware encryption supported tape drive / tape 

ARCSERVE doco clearly states:

https://documentation.arcserve.com/Arcserve-Backup/Available/R17/ENU/Bookshelf_Files/HTML/admingde/index.htm?toc.htm?asbu_data_encryption.htm

“You can also create a session encryption password that is saved to the Arcserve Backup database. This password is used to encrypt session data”

If you select to have your data encrypted during the backup or migration process, Arcserve Backup has the ability to detect if the final destination media (tape) is capable of hardware encryption and by default will automatically choose that hardware method if available.

Yet ARCSERVE Support state:

"Once you set the encryption password, as a backup session is submitted, the session encryption password is saved to the Arcserve Backup database in encrypted format using a random key and the Globally Unique Identifier (GUID) is saved as a binary value. During a restore session, the encrypted password is extracted from the Arcserve Backup database and decrypted. 

The restore session reads the Dummy Session Header from the Tape Engine and if server side encryption was used, the session GUID will be extracted from the Arcserve Backup database."

Only way I think to really find out what is going on is to enable DEBUG on the tape engine.

If somebody from HPE told you that hardware encryption is not possible with standalone tape drives, I'm sorry but whoever said that was wrong.  I will let key people in the tape team know that there is some misinformation being shared.  I just confirmed that the HPE LTO-8 standalone drive user's guide discusses software managed encryption and that the application is responsible for the keys.

When software is managing the encryption there is very little HPE can do to provide help.  There is an encryption LED on the front of the drive but it isn't perfect.  It lights up if all the data on the tape is encrypted or if there is a header that isn't encrypted and the rest of the tape is encrypted but if an application writes some unecrypted data in the middle of the tape the light will go out but the drive might still be encrypting.  That is rare, I don't think Arcserve does that so you should see the encryption LED lit.

If you want to use the HPE Library and Tape Tools diagnostic tool to pull a support ticket from the drive when there is a tape in use then it is possible to tell that encryption is enabled.  I don't recall exactly how that is displayed but the LTT user's guide might say.

For security purposes there is very little encryption information reported out from the tape drive.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Hi Curtis,

Please refer to Case 5363402885, as quoted:

"As mentioned earlier since this is a Standalone External Tape Drive , hence we cannot use Hardware Encryption.

However you can check with your backup Software , on the Key location and where the key is stored. the key would have been provided by the backup application if it is a standalone tape drive. "

I work for a large Government Agency, and it has been a very long engagement with ISV (ARCSERVE) and HPE StoreEver to definitively ascertain if hardware encryptyion is working.

I believe ARCSERVE Session/Encryption password (Server Key) is being passed as SPOUT command to physical Tape Hardware and the IC's onboard perform encryption of files at hardware level.

ARCSERVE would like to talk with HPE engineers.

Thank you

Point 1, you can see in the GUI if your Tape does Support Hardware Encryption.
As far as I know, every LTO-4 and newer from every Vendor did have the Chip if Single Drive or Library.

Check it here: Can we use the hardware encryption with arcserve?

Point 2, as I wrote, you can Store the Password in the Backup Database or not.
If not, you need to enter the Password for every Restore.

See here: Arcserve Backup session password and encryption key management

The use of a KMS Server or USB Stick is Optional and a different (complex) thing.
Your provided document above explains this.

Cali

I'm not an HPE employee, so I can be wrong.

Hi Curtis,

LTTReport returned:

Encryption/Decryption capability : Hardware encryption/decryption

Encryption key size : 32 bytes (256 bits)

Encrypted Data : Yes

Cartridge status and tape alert page:

EncryptedData 1

Thanks Cali,

Re: point 1

Correct, since LTO4 the tape drives have 'on board' ICs for hardware encryption, hence the non-degraded backup performance I have noted compared to 'At Agent' software based encryption.

Re: Point 2

ARCSERVE is vague in it's global configuration option "Session / Encryption" password.

No documentation on whether the SINGLE password represents two things:

1) the "Session" password used for each session e.g. C drive, D drive, E drive etc

2) the "Encryption" password is used for when "Encryption" checkbox is ticked, for "At Agent" this is software encryption, "at Backup Server", is hardware encryption (if tape drive/tape is encryption capable).  I can only assume ARCSERVE uses this password as a SPOUT command to tell the tape drive hardware to encrypt the files at the tape drive/tape hardware level.

Testing indicates it is BOTH 1 and 2, but there is no documentation from ARCSERVE about this configuration break-down of this critical component in this day and age.

I went and researched this using the case # information you provided.  I was able to locate the lab egineer that is supporting the agent.

Some of the confusion comes from a response from HPE support that was probably not as clear as it could have been.  The HPE support agent indicated that "we cannot use Hardware Encryption" but went on to say that a key could have been provided by the backup application.  What the support agent meant to convey was that the hardware "managed" encryption solutions sold and supported by HPE could not be used.  Software "managed" encryption was able to be used and that would be sold and supported by your backup application vendor.  The "managed" part was implied, not stated, and that was easily misinterpreted.

The LED on the front of the drive indicates that the drive is encrypting.  The L&TT support ticket information indicates that the tape contains encrypted data.  That is about all the information that HPE can provide on software managed encryption.  HPE can report that the software is enabling encryption, the drive is writing encrypted data, and that the data on the tape is encrypted.

You have to talk with your application vendor for any information about what encryption keys are used and how they are managed.

If you are able to use your password to read the tapes somewhere else then your application is somehow using the password either as the encryption key or to generate or lookup an encryption key. 

I saw some questions about an example in the HPE encryption white paper about an example showing a software tool loading an encryption key into the drive and the tool showed the key.  There was a question where that tool was for customers.  That tool was a test tool that is used to load specific encryption keys into the drive for testing purposes and was used as an example to show software loading a key into a drive.  Your application software performs that function in production.  Keys should never be exposed the way they are in that test tool and it is impossible for that test tool or any other to read encryption key information out of the drive.  Encryption keys are never stored on a tape, not even in an encrypted form.  The encryption keys are only used to generate media keys that are then used for writing data which is able to be read back with the original encryption key.  At most an encryption key label or name is able to be stored on the tape.  The application software either has to use external information such as a barcode or a password to lookup or generate an encryption key or it could store an encryption key label/name on the tape and read that then go lookup an encryption key.  To read encrypted data the encryption key has to be loaded into the drive from the application software.  When the drive reads data it takes the encryption key provided by the application and attempts to decode the data.  If the decode is successful then the drive returns the data, otherwise it returns an error.

Hopefully this information resolves your questions for HPE and I apologize for the response that was not as clear as it could have been.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]