Discussions related to exporting backups to tape and backing up directly to tape.
Post Reply
dnicollier
Lurker
Posts: 2
Liked: never
Joined: Oct 08, 2015 2:04 pm
Contact:

Encryption Tape Mechanism

Post by dnicollier »

Hello,

I have questions about the tape encryption.

For audit purpose i need to validate the encryption on the tape, what this the procedure to show this to an auditor ?

When restore a veeam backup from a tape (vbk file), he does not ask for the encryption password, How to set this paramater to always ask for the password ?

Thanks for your support and help
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Encryption Tape Mechanism

Post by Shestakov »

Hello and welcome to the forums!
Encryption for tapes is set not in the job, but at the mediapools.
Have you enabled it there?
Thanks!
dnicollier
Lurker
Posts: 2
Liked: never
Joined: Oct 08, 2015 2:04 pm
Contact:

Re: Encryption Tape Mechanism

Post by dnicollier »

Yes, it was enabled

But you know auditor... we need to prove that the tape is really encrypted.

And for the password do you have an idea ?
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Encryption Tape Mechanism

Post by Shestakov »

To check that the tape is encrypted, you can deploy another server and import the tape there. If you try to restore there, the password will be asked.
It`s not asked on the same server by design.
Thanks!
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Encryption Tape Mechanism

Post by Dima P. »

If its software encryption with the password set in Veeam B&R (while hardware encryption is not enabled in the tape library) you could remove the encryption password used for tapes and then load the encrypted media back. I assume the password should be promoted upon cataloging the tape media.

Please test my assumption first on non-production media with non-production encryption password.
A.Lamsdell
Influencer
Posts: 11
Liked: 2 times
Joined: Feb 15, 2016 10:36 am
Full Name: Antony Lamsdell
Contact:

[MERGED] Unable to confirm tape encryption is working

Post by A.Lamsdell »

Hi Guys,

Currently encrypting all media pools with encryption keys and I need to confirm that they are working. If I edit a key to something else or remove it then, to my knowledge, the tape should not catalogue or be readable by that veeam server as it has not got the correct keys.

So far it seems to catalogue tapes and recover files.

Anything I might be missing at a basic user level before I run off to support?
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Encryption Tape Mechanism

Post by Shestakov »

Hi Antony,
Please try one of the methods suggested above.
By the way, do you use hardware or software encryption?
Thanks
A.Lamsdell
Influencer
Posts: 11
Liked: 2 times
Joined: Feb 15, 2016 10:36 am
Full Name: Antony Lamsdell
Contact:

Re: Encryption Tape Mechanism

Post by A.Lamsdell »

Hi Shestakov,

I am unsure if the tape silo supports hardware encryption or not (TL2000, I'll look it up and provide a full response when my work load permits) but I assume it'll default to hardware if it has it or software if it doesn't.

So reading this it looks like Veeam automatically manages the encryption keys. If I remove a key from the media pool or edit it will the encryption key be maintained in the job metadata for that tape to auto unlock it when accessed? I've removed encryption keys from the server and it's all been accessible. I'll see what I can do about redeploying the tape silo to a new veeam server to test it out.
lyapkost
Expert
Posts: 221
Liked: 48 times
Joined: Nov 27, 2015 2:26 pm
Full Name: Konstantin
Location: Saint Petersburg
Contact:

Re: Encryption Tape Mechanism

Post by lyapkost »

Hi. In case you are using software encryption and don't want to deploy another server as suggested above, you can do the following: a) remove encryption from media pool; b) mark tapes in this media pool as free (do not erase!) c) delete password used to encrypt the media pool with Password Manager; d) catalog tapes. You will see warning telling that the password needs to be provided (right click on the tape - 'specify password'). So recovery is impossible until tapes are being decrypted.
A.Lamsdell
Influencer
Posts: 11
Liked: 2 times
Joined: Feb 15, 2016 10:36 am
Full Name: Antony Lamsdell
Contact:

Re: Encryption Tape Mechanism

Post by A.Lamsdell »

Thanks Lyapkost, tested and confirmed working in a couple of minutes!

Much Appreciated
rreed
Veteran
Posts: 354
Liked: 72 times
Joined: Jun 30, 2015 6:06 pm
Contact:

Re: Encryption Tape Mechanism

Post by rreed »

Do we have an update to this by any chance, please? Which method did you use?
VMware 6
Veeam B&R v9
Dell DR4100's
EMC DD2200's
EMC DD620's
Dell TL2000 via PE430 (SAS)
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Encryption Tape Mechanism

Post by veremin »

Feel free to use the approach described by Konstantin. It should be enough to confirm encryption operability. Thanks.
Post Reply

Who is online

Users browsing this forum: ShawnKPERS and 26 guests