StoreEver Tape Storage
1748061 Members
5785 Online
108758 Solutions
New Discussion юеВ

LTO IV Tape Encryption

 
SOLVED
Go to solution
dsblack
Occasional Advisor

LTO IV Tape Encryption

I am trying to move data between two distinct non-networked locations. Location 1 is running AIX while location 2 is running Solaris. The data being transported are a series of large 30GB files. This data needs to be encrypted.

I want to know if it is possible to write an LTO IV encrypted tape on the AIX server and somehow read that tape on a seperate LTO IV drive on a Solaris server?

The tape would be written with tar (GNU).

Thanks
11 REPLIES 11
Dennis Handly
Acclaimed Contributor

Re: LTO IV Tape Encryption

What type of type drive are you using?
Hardware or software encryption?
dsblack
Occasional Advisor

Re: LTO IV Tape Encryption

I wanted to use a hardware encrypted LTO IV drive. I fully expect software encryption to work (GPG / PGP) but want to avoid the well known issues with it.

The question I'm looking to get answered is how can I write a hardware encrypted tape - using a LTO IV tape drive on an AIX box and restore the same tape on a Solais box using a different LTO IV tape drive - understanding that the two boxes are not on the same network.

Being that the key is not on the tape I'm interested in understanding if i can share keys (if that is the right terminology) between environments?
Curtis Ballard
Honored Contributor
Solution

Re: LTO IV Tape Encryption

Trying to encrypt data and move it between two environments with tar will be tricky without some other support.

It can be done relatively easily if you have an MSL Series tape library (1/8 G2, 2024, 4048, 8096) and the encryption kit. That is a system that manages the encryption keys entirely on the tape library so anything written by tar will be encrypted.

With the MSL encryption kit the keys are stored on a USB token and require authentication before they can be accessed so transport of the token is pretty safe. You can also perform a backup to a file and email or otherwise transfer the file to transfer keys. The backup file is encrypted so you have to have a password again to get back in.

Without hardware support you would probably want to use something like HP Data Protector instead of tar so that the software could load and manage the encryption keys.
dsblack
Occasional Advisor

Re: LTO IV Tape Encryption

Thanks Curtis.

We are looking for a solution that is more portable (less expensive) than a library (which would actually mean two libraries) - that is why we wanted to know if we could do with 2 stand alone drives?
Curtis Ballard
Honored Contributor

Re: LTO IV Tape Encryption

Attempting to do it with 2 standalone drives would require software support from some backup application that understands the key exchange protocol.
dsblack
Occasional Advisor

Re: LTO IV Tape Encryption

Being that this is a one time shot (with this customer) and the next customer may be a Linux / windows or whatever OS customer. Is there something you recommend - understanding our Solaris environment is a constant and this job requires work with AIX.
Curtis Ballard
Honored Contributor

Re: LTO IV Tape Encryption

If being able to transport data between locations and have that data safely encrypted is a periodic need I would look into getting an 1/8 G2 autoloader and PLK encryption kit. The job could be done with just one autoloader as you could load the data at one site, transfer the autoloader to another, then recover. I wouldn't recommend it but even if the autoloader and tapes are transported together you still have protection as the encryption token and the password to that token are required before the data can be accessed.

Having the encryption totally managed by the autoloader would give you freedom from your environment and applications. Using a simple tool available just about everywhere like tar works and your data is protected.

Like you say software methods exist and you could do it but there is going to be more overhead and dependence on the tool chosen. For any large amount of data tape is the cheapest solution for encrypting and transporting large amounts of data.
dsblack
Occasional Advisor

Re: LTO IV Tape Encryption

Curtis -

Thanks again.

This is a one time event with our customer but the transfer would not be all in one shot - hence why I originally wanted two single drives. If i had to loaders one always at my site and the other at a customer site - could i share tapes between them?
Curtis Ballard
Honored Contributor

Re: LTO IV Tape Encryption

Yes if you had two autoloaders you could share tapes between then. To do that you use the encryption kit which has two encryption tokens in it. You back-up the tapes on the first library and then use the library and the libraries web interface to backup the token to a file.

The token backup file can be safely transported through any file transfer mechanism as it is encrypted and can be decoded except by a MSL tape library after you enter the password.

At the other end you have the second token in the second autoloader and you can restore the backup file onto the second token then you have a copy of the keys at both ends.

If the source autoloader is configured to only generate new write keys on request then you are done. If you need to periodically crate a different key you can manually request a new write key or you can set a schedule. The default is that a new write key is created every month.

If the customer is really security conscious you can have then owner and enter the token passwords and backup file passwords then at the end of the job even you can't get to the data.