-
- Novice
- Posts: 7
- Liked: 2 times
- Joined: May 21, 2013 5:09 pm
- Full Name: Brandon Patton
- Location: Indiana
- Contact:
v7 Tape Encryption
Hello All,
I see there is a breakout for tape related topics here, so figure we'd start the ball rolling with the talk of encryption. I realize there are several forums of customers and support going back and forth, but figure this discussion still needs to be ongoing and in one spot.
Like most people that I've read in this forum, we too use BackupExec for the sole purpose of transferring Veeam backup files to tape. We absolutely hate it, which is one reason why we have been eagerly awaiting the arrival of v7. Unfortunately though, our policies with our customers and vendors require that the tapes are encrypted. As Veeam is unable to provide encryption support (as encryption must be transparent to Veeam) at this time, that leaves a gap for people still wanting to take advantage of Veeam's tape support, but also find a way to encrypt the information.
*Note to Veeam - I'm thinking rather than doing the encryption within Veeam, which makes you responsible for handling the encryption, just having a way to pass the encryption key and strength to the tape drivers would suffice for most of us. Could be wrong and maybe that is a more difficult way of doing things.
So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?
Just looking to see what other people have tried or plan to try once v7 hits the shelf. We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).
I see there is a breakout for tape related topics here, so figure we'd start the ball rolling with the talk of encryption. I realize there are several forums of customers and support going back and forth, but figure this discussion still needs to be ongoing and in one spot.
Like most people that I've read in this forum, we too use BackupExec for the sole purpose of transferring Veeam backup files to tape. We absolutely hate it, which is one reason why we have been eagerly awaiting the arrival of v7. Unfortunately though, our policies with our customers and vendors require that the tapes are encrypted. As Veeam is unable to provide encryption support (as encryption must be transparent to Veeam) at this time, that leaves a gap for people still wanting to take advantage of Veeam's tape support, but also find a way to encrypt the information.
*Note to Veeam - I'm thinking rather than doing the encryption within Veeam, which makes you responsible for handling the encryption, just having a way to pass the encryption key and strength to the tape drivers would suffice for most of us. Could be wrong and maybe that is a more difficult way of doing things.
So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?
Just looking to see what other people have tried or plan to try once v7 hits the shelf. We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).
--
Brandon Patton
Brandon Patton
-
- Product Manager
- Posts: 20400
- Liked: 2298 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: v7 Tape Encryption
Hi, Brandon.We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).
One potential issue I can see with using 7-zip is that in this case you will be tied to a “file to tape” job and, it, in its turn, results in the lack of tracking mechanism - you won’t know on which tape medias particular VMs reside on, what medias are required in order to restore certain VM, etc.
Thanks.
-
- Chief Product Officer
- Posts: 31803
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: v7 Tape Encryption
Hi Brandon, does your tape device support native encryption? Is it possible to turn this off in the device settings? My knowledge around how various tape device implement control around native tape encryption is limited, but from what I heard you can simply enable that in the device settings most of the times. Thanks!
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: v7 Tape Encryption
LTO devices that support encryption do so using the SCSI T10 extensions. This allows for the exchange of keys between the host system key management and the device. Most vendors provide options for managing this encryption outside of Veeam, typically in combination with a simple key management systems running on the host. System or library managed encryption is generally an extra cost option for a tape library, but this is going to be the best option if you require encryption support with V7. Some vendors include this basic functionality when you purchase a tape device with hardware encryption capabilities.
-
- Novice
- Posts: 7
- Liked: 2 times
- Joined: May 21, 2013 5:09 pm
- Full Name: Brandon Patton
- Location: Indiana
- Contact:
Re: v7 Tape Encryption
Hi all,
In my case, all of our encryption is currently controlled by BackupExec (as far as me telling BackupExec that I want it to use the drive encryption). The tape drive does support hardware encryption, but I've never figured out any utility or method to actually talk to the tape itself, other than through BackupExec.
From the sounds of it, sounds like there are options out there, just a matter of hunting. Cool!
In my case, all of our encryption is currently controlled by BackupExec (as far as me telling BackupExec that I want it to use the drive encryption). The tape drive does support hardware encryption, but I've never figured out any utility or method to actually talk to the tape itself, other than through BackupExec.
From the sounds of it, sounds like there are options out there, just a matter of hunting. Cool!
--
Brandon Patton
Brandon Patton
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: v7 Tape Encryption
Yes, pretty much every vendor has their own separate application that can manage the encryption independent of the actual backup software. The biggest "con" to this approach is that it's pretty much all or nothing, you encrypt the entire tape or you don't encrypt at all, while with the application, you can pick on a "per-job" basis to only encrypt for data that requires it. I don't really see this as much of a con, but I guess it could be.
Dell refers to this as "library-managed" encryption and I think the software is called Dell Encryption Key Manager.
HP MSL series has the "MSL Encryption Kit"
These are just two vendors that I happen to know their solutions off the top of my head, but every major vendor I've seen has such an option, although the exact implementation differ, the overall idea is the same, to enable hardware level encryption on the device in an application transparent way.
Dell refers to this as "library-managed" encryption and I think the software is called Dell Encryption Key Manager.
HP MSL series has the "MSL Encryption Kit"
These are just two vendors that I happen to know their solutions off the top of my head, but every major vendor I've seen has such an option, although the exact implementation differ, the overall idea is the same, to enable hardware level encryption on the device in an application transparent way.
-
- Novice
- Posts: 7
- Liked: 2 times
- Joined: May 21, 2013 5:09 pm
- Full Name: Brandon Patton
- Location: Indiana
- Contact:
Re: v7 Tape Encryption
I wasn't even aware that Dell had something like. Going to check it out!
--
Brandon Patton
Brandon Patton
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: v7 Tape Encryption
Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.
-
- Novice
- Posts: 7
- Liked: 2 times
- Joined: May 21, 2013 5:09 pm
- Full Name: Brandon Patton
- Location: Indiana
- Contact:
Re: v7 Tape Encryption
Trying to find the solution (having difficulty getting good info) - but it appears that the Dell encryption method (EKM) requires us to have a TL or ML system - we simply have a standalone drive in a PowerVault chassis. So since we're not as a library, don't think this solution will work.tsightler wrote:Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.
Looks like we're going to be keeping Symantec around for awhile yet. *shrug*
--
Brandon Patton
Brandon Patton
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: v7 Tape Encryption
Ah, I didn't know you didn't have a library.
-
- Enthusiast
- Posts: 47
- Liked: 4 times
- Joined: Feb 05, 2013 6:56 pm
- Full Name: Jason K. Brandt
- Contact:
[MERGED] : Feature Request - Tape Encryption
A suggestion/request for a future release, would be some form of at least basic encryption on what's written to tape, to please the regulators out there. A good crypt of some sort would be ideal
Thanks!
Thanks!
-
- Veeam Software
- Posts: 21138
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Feature Request - Tape Encryption
Jason, thanks for the feedback. Already on our short-term list.
Please be aware that you have the ability to use hardware-based encryption provided by the library.
Please be aware that you have the ability to use hardware-based encryption provided by the library.
-
- Enthusiast
- Posts: 47
- Liked: 4 times
- Joined: Feb 05, 2013 6:56 pm
- Full Name: Jason K. Brandt
- Contact:
Re: v7 Tape Encryption
Thanks for merging, I didn't see the existing topic. I will check into our library, to see if it supports hardware based encryption. Thanks for the suggestion.
-
- Influencer
- Posts: 11
- Liked: never
- Joined: May 31, 2011 10:21 pm
- Full Name: Thomas Moy
- Contact:
Re: v7 Tape Encryption
Just getting my feet wet with v7 Tape functionality, and found this thread. I'm probably in the minority here, small shop, using Retrospect, which I went to in rebellion from BackupExec a decade ago. I'm not using its file to tape functionality now, just using it to backup Veeam files. It does encrypted backups though.
So, regarding plans... I'd love to move away from tapes altogether... setting up a secondary LAN and a WAN repository. How taboo is breaking the 3-2-1 rule ?
-- Tom
So, regarding plans... I'd love to move away from tapes altogether... setting up a secondary LAN and a WAN repository. How taboo is breaking the 3-2-1 rule ?
-- Tom
brandon.patton wrote:So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Oct 16, 2013 6:58 am
- Contact:
Re: Feature Request - Tape Encryption
How short-term is short-term?foggy wrote:Jason, thanks for the feedback. Already on our short-term list.
Please be aware that you have the ability to use hardware-based encryption provided by the library.
We are in the process of switching our servers from Windows 2003 to Hyper-V Windows 2012 r2 however our backups must be encrypted. Our hardware doesn't support hardware encryption so that leaves us in a position where by Veeam is simply a non-starter.
Granted we aren't the biggest but we do have 14 sockets that we would be looking to license at enterprise plus which is £20k worth of licensing fees (probably a very good start towards the developmental costs for this feature). Just wanted to point out that while the existing users are raising the issue it is also putting off potential buyers which is costing you sales. I'm sure I am not the only one out there who simply can't purchase Veeam without encryption.
-
- Product Manager
- Posts: 20400
- Liked: 2298 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: v7 Tape Encryption
I understand your concern. But for now I can only say that tape encryption is on our feature list. We will publish more information regarding tape encryption as soon as we have some. As long as you’re present on the forum, you won’t miss it. So, stay tuned.
Thanks.
Thanks.
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Oct 16, 2013 6:58 am
- Contact:
Re: v7 Tape Encryption
Thanks for the response. Is there any general time scales 1-3 months, 3-6 months, 6 months+.
We can wait 1-3 months but if it is likely to be longer than that the we will have to find another solution.
We can wait 1-3 months but if it is likely to be longer than that the we will have to find another solution.
-
- Chief Product Officer
- Posts: 31803
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: v7 Tape Encryption
I can say that it is definitely not going to be available in the next 1-3 months.
-
- Enthusiast
- Posts: 27
- Liked: never
- Joined: Jun 06, 2009 2:46 am
- Full Name: Glen Morris
- Contact:
Re: v7 Tape Encryption
I am in the same boat and would like to not have to use Symantec Backup Exec but we also need Tape Encryption and the Encryption builtin to Backup Exec works very nice and is seamless to use, in DR you just have to know the passphrase and you can decrypt the tape no other server needed. We use an IBM TS3100 Tape Library and configuring encryption is as easy as setting the library to application controlled Encryption, and then creating the Encryption key in Backup Exec. I would suggest trying to make Veeam tape encryption work simalar as this is very nice to work with.
-
- Product Manager
- Posts: 14716
- Liked: 1702 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: v7 Tape Encryption
Glen,
Thank you for describing your scenario! This DR site tape library is remotely connected to your main site or it is connected to standalone BE media server?
Thank you for describing your scenario! This DR site tape library is remotely connected to your main site or it is connected to standalone BE media server?
-
- Enthusiast
- Posts: 27
- Liked: never
- Joined: Jun 06, 2009 2:46 am
- Full Name: Glen Morris
- Contact:
Re: v7 Tape Encryption
At DR the library is connected to a standalone backup server with no connectivity to the main site.
-
- Product Manager
- Posts: 14716
- Liked: 1702 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: v7 Tape Encryption
Glen,
Thank you for clarification. Yes, such scenario would be supported by the upcomming encryption feature.
Thank you for clarification. Yes, such scenario would be supported by the upcomming encryption feature.
-
- Enthusiast
- Posts: 47
- Liked: 4 times
- Joined: Feb 05, 2013 6:56 pm
- Full Name: Jason K. Brandt
- Contact:
Re: v7 Tape Encryption
We decided to use the hardware encryption capability of our library, and it's been working great. It would still be nice to see the software option as well, though.
-
- Product Manager
- Posts: 20400
- Liked: 2298 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: v7 Tape Encryption
Hi, Jason,
As mentioned above, we’re working on delivering this feature in one of the next product releases. Thanks.
As mentioned above, we’re working on delivering this feature in one of the next product releases. Thanks.
-
- Enthusiast
- Posts: 27
- Liked: never
- Joined: Jun 06, 2009 2:46 am
- Full Name: Glen Morris
- Contact:
Re: v7 Tape Encryption
I just want to clairify that the tape library is doing the encryption [hardware encryption] it is just controlled by the application [ Symantec or Veeam in this case]
-
- Veteran
- Posts: 257
- Liked: 40 times
- Joined: May 21, 2013 9:08 pm
- Full Name: Alan Wells
- Contact:
Re: v7 Tape Encryption
I have a Quantum Scalar i80 tape library with 4 LTO6 FC drives. We use encryption through Quantum Scalar Key Manager servers. This is a Quantum solution which uses 2 VMs (primary & backup) to manage all of the encryption keys. The libraries are configured to talk directly to those key managers and the backup software doesn't know anything about it. Of course this is an extra feature that you have to purchase from Quantum. You have to buy the SKM VM package and the license for the library.
I have been backing up to tape via Veeam for a month now and my tapes all show encrypted from the Quantum library. Restores of Veeam files works just fine as well.
I have been backing up to tape via Veeam for a month now and my tapes all show encrypted from the Quantum library. Restores of Veeam files works just fine as well.
Who is online
Users browsing this forum: No registered users and 16 guests