Discussions related to exporting backups to tape and backing up directly to tape.
Post Reply
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Hardware encryption on tape library

Post by adam900331 »

Hy.

If I use hardware encryption on tape library, can I check that Veeam use hardware encryption during backup to tape job?

Thanks.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Hardware encryption on tape library

Post by Regnor » 1 person likes this post

If available, Veeam will use hardware encryption for the tape backup.
If you check the tasks in your tape job log, there should be a line stating which type of encryption is used.
Something similiar like this one:
New tape backup session started, encryption: hardware
veremin
Product Manager
Posts: 20413
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Hardware encryption on tape library

Post by veremin »

Sure, you need to enable encryption in the media pool settings. Hardware encryption has a higher priority and will be selected over software encryption during tape processing (as long as the hardware system supports it). Thanks!
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Hardware encryption on tape library

Post by adam900331 »

Hy again!

If I use the hardware encryption on tape library, why get the following message during backups to tape job?
New tape backup session started, encryption: disable

Can I configure something in Veeam to use hardware encryption?

Thanks.
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Hardware encryption on tape library

Post by adam900331 »

I checked the log:

Code: Select all

[06.10.2022 10:39:56.838] < 17696> mt       | Getting tape label from cartridge memory for \\.\Tape0
[06.10.2022 10:39:56.838] < 17696> mt       |   Initializing tape device: \\.\Tape0
[06.10.2022 10:39:56.838] < 17696> mt       |   Start open \\.\Tape0
[06.10.2022 10:39:56.840] < 17696> mt       |   Current tape device activity is 14 (Reading encrypted from medium.).
[06.10.2022 10:39:56.850] < 17696> mt       |   Drive encryption status:
[06.10.2022 10:39:56.850] < 17696> mt       |   Encryption Mode: Encrypt
[06.10.2022 10:39:56.850] < 17696> mt       |   Decryption Mode: Mixed
[06.10.2022 10:39:56.850] < 17696> mt       |   Raw Decryption Mode Disabled (RDMD): Disabled
[06.10.2022 10:39:56.850] < 17696> mt       |   Volume Contains Encrypted Logical Blocks (VCELB): Enabled
[06.10.2022 10:39:56.850] < 17696> mt       |   Logical Block encryption parameters: Library/Key Management Appliance Managed
[06.10.2022 10:39:56.850] < 17696> mt       |   Key Associated Data (KAD) Descriptor: Wrapped public key
[06.10.2022 10:39:56.850] < 17696> mt       |   Hardware encryption is not available
If I want to use hardware encryption can I enable it on media pool and specify a password?
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Thanks.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Hardware encryption on tape library

Post by Regnor »

Exactly, that's right. You need to enable encryption in the media pool and create/enter a secure password.

I initially didn't get your question correctly. Hardware encryption is just the feature a library can offer and a backup solution can work with, but it doesn't by itself encrypt your tapes. If you didn't have hardware encryption available, Veeam would be able to use software encryption. Regardless of both, you need to configure Veeam to encrypt the tapes.
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Hardware encryption on tape library

Post by adam900331 »

I enabled the encryption on media pool. Now the backup to tape job use software based encryption:
New tape backup session started, encryption: software

But my goal is to use hardware encryption. The hardware encryption in enabled on tape library.
vmtech123
Veeam Legend
Posts: 251
Liked: 136 times
Joined: Mar 28, 2019 2:01 pm
Full Name: SP
Contact:

Re: Hardware encryption on tape library

Post by vmtech123 »

Interesting, I never looked at this before. Just checked mine.
New tape backup session started, encryption: software


Following.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Hardware encryption on tape library

Post by Regnor » 1 person likes this post

If your library/drive has hardware encryption enabled, the I would check if you have the correct driver installed on your tape server.
vmtech123
Veeam Legend
Posts: 251
Liked: 136 times
Joined: Mar 28, 2019 2:01 pm
Full Name: SP
Contact:

Re: Hardware encryption on tape library

Post by vmtech123 »

Haha, Nice one Regnor.

I just checked, not enabled. For some reason I always just assumed it was enabled and working until I checked this.

Seem to be working fine with software anyways. I don't think we need to buy the licenses. Funny I never noticed that. I have one library encrypted and one not so i'll see if there is any performance hit. so far so good.
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Hardware encryption on tape library

Post by adam900331 »

Hy.

The hardware encryption process not clear for me. The hardware encryption is enabled on tape library, but the Veeam show this message during the tape job: New tape backup session started, encryption: disable

The tape job log show this message:
Hardware encryption is not available

The library is MSL3040. It seems to the hardware encryption is transparent for Veeam and this is why not see the hardware encryprion process. Ehat do you think, is it true? Are there any communicatin between tape library and Veeam regarded to encryption?

Thnaks.
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Hardware encryption on tape library

Post by adam900331 »

vmtech123 wrote: Oct 07, 2022 6:15 pm Haha, Nice one Regnor.

I just checked, not enabled. For some reason I always just assumed it was enabled and working until I checked this.

Seem to be working fine with software anyways. I don't think we need to buy the licenses. Funny I never noticed that. I have one library encrypted and one not so i'll see if there is any performance hit. so far so good.
Hy Vmtech.

If you use hardware encryption and Veeam say software encryption. How can you check that the tape library use hardware encryption instead of software?
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Hardware encryption on tape library

Post by Regnor »

@vmtech123: I'm not sure if this needs to be licensed. In my opinion every library or tape drive is capable of doing hardware encryption. From a performance perspective it will probably not make much difference.

@adam900331: Have you installed the official HPE drivers?
https://support.hpe.com/connect/s/softw ... anguage=de

I can't look at the configuration of the MSL3040 but I never had to change anything in order to utilize hardware encryption. Is it enabled at the partition level? Any chance you've disabled the 'controlled by backup application' option?
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Hardware encryption on tape library

Post by adam900331 »

Hy.

Yes, I installed the driver what you linked. And also enabled the hardware encryption on the partition. I select the USB - MSL Encryption.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Hardware encryption on tape library

Post by Regnor »

USB would be something different. With this option the library itself would do/manage the encryption and you would have to connect the USB encryption key from HPE.
If you want Veeam to manage the encryption, you'll have to use a different option. What else can you select there?
adam900331
Veteran
Posts: 312
Liked: 22 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Hardware encryption on tape library

Post by adam900331 »

There are two option what i can select:
Controlled by backup application
USB - MSL Encryption kit

The connected USB device is an HPE USB key. So is it possible the encrpytion process manage by tape library, and this process transparent for Veeam? And thi is the reason to write the Veeam during the tape job: New tape backup session started, encryption: disable?
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Hardware encryption on tape library

Post by Regnor »

I've never worked with the encryption kit, so I cant really help you here. In theory the library manages encryption and Veeam won't be aware of it. Therefore the message encryption disabled. If you go with that way I would suggest to contact someone with experience or read more about it. Just to be sure it's working as expected and that you won't lose your encryption keys.

If you want Veeam to manage the encryption then you would need the option 'Controlled by backup application'. And then you enable encryption in the media pool.
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Hardware encryption on tape library

Post by Dima P. »

adam900331,
So is it possible the encrpytion process manage by tape library, and this process transparent for Veeam?
It is transparent, whenever the encryption is enabled in B&R the job will either use software encryption or hardware encryption when it's available.
And thi is the reason to write the Veeam during the tape job: New tape backup session started, encryption: disable?
That means tapes are unencrypted.

Try setting up Controlled by backup application - that means Veeam B&R manages the keys while drives are using these keys to encrypt the media.
Kimme
Novice
Posts: 3
Liked: never
Joined: Mar 10, 2011 11:28 am
Contact:

Re: Hardware encryption on tape library

Post by Kimme »

Try setting up Controlled by backup application - that means Veeam B&R manages the keys while drives are using these keys to encrypt the media.
But hopefully this does not mean that if hardware encryption is performed by the tape drive, the keys are limited to the drive, i.e. that I can no longer decrypt when changing the tape drive (e.g. in the event of a defect)?
Post Reply

Who is online

Users browsing this forum: Google [Bot], Semrush [Bot] and 9 guests