Discussions related to exporting backups to tape and backing up directly to tape.
Post Reply
brandon.patton
Novice
Posts: 7
Liked: 2 times
Joined: May 21, 2013 5:09 pm
Full Name: Brandon Patton
Location: Indiana
Contact:

v7 Tape Encryption

Post by brandon.patton »

Hello All,

I see there is a breakout for tape related topics here, so figure we'd start the ball rolling with the talk of encryption. I realize there are several forums of customers and support going back and forth, but figure this discussion still needs to be ongoing and in one spot.

Like most people that I've read in this forum, we too use BackupExec for the sole purpose of transferring Veeam backup files to tape. We absolutely hate it, which is one reason why we have been eagerly awaiting the arrival of v7. Unfortunately though, our policies with our customers and vendors require that the tapes are encrypted. As Veeam is unable to provide encryption support (as encryption must be transparent to Veeam) at this time, that leaves a gap for people still wanting to take advantage of Veeam's tape support, but also find a way to encrypt the information.

*Note to Veeam - I'm thinking rather than doing the encryption within Veeam, which makes you responsible for handling the encryption, just having a way to pass the encryption key and strength to the tape drivers would suffice for most of us. Could be wrong and maybe that is a more difficult way of doing things.

So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?

Just looking to see what other people have tried or plan to try once v7 hits the shelf. We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).
--
Brandon Patton
veremin
Product Manager
Posts: 20400
Liked: 2298 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: v7 Tape Encryption

Post by veremin »

We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).
Hi, Brandon.

One potential issue I can see with using 7-zip is that in this case you will be tied to a “file to tape” job and, it, in its turn, results in the lack of tracking mechanism - you won’t know on which tape medias particular VMs reside on, what medias are required in order to restore certain VM, etc.

Thanks.
Gostev
Chief Product Officer
Posts: 31803
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: v7 Tape Encryption

Post by Gostev »

Hi Brandon, does your tape device support native encryption? Is it possible to turn this off in the device settings? My knowledge around how various tape device implement control around native tape encryption is limited, but from what I heard you can simply enable that in the device settings most of the times. Thanks!
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: v7 Tape Encryption

Post by tsightler »

LTO devices that support encryption do so using the SCSI T10 extensions. This allows for the exchange of keys between the host system key management and the device. Most vendors provide options for managing this encryption outside of Veeam, typically in combination with a simple key management systems running on the host. System or library managed encryption is generally an extra cost option for a tape library, but this is going to be the best option if you require encryption support with V7. Some vendors include this basic functionality when you purchase a tape device with hardware encryption capabilities.
brandon.patton
Novice
Posts: 7
Liked: 2 times
Joined: May 21, 2013 5:09 pm
Full Name: Brandon Patton
Location: Indiana
Contact:

Re: v7 Tape Encryption

Post by brandon.patton »

Hi all,

In my case, all of our encryption is currently controlled by BackupExec (as far as me telling BackupExec that I want it to use the drive encryption). The tape drive does support hardware encryption, but I've never figured out any utility or method to actually talk to the tape itself, other than through BackupExec.

From the sounds of it, sounds like there are options out there, just a matter of hunting. Cool!
--
Brandon Patton
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: v7 Tape Encryption

Post by tsightler »

Yes, pretty much every vendor has their own separate application that can manage the encryption independent of the actual backup software. The biggest "con" to this approach is that it's pretty much all or nothing, you encrypt the entire tape or you don't encrypt at all, while with the application, you can pick on a "per-job" basis to only encrypt for data that requires it. I don't really see this as much of a con, but I guess it could be.

Dell refers to this as "library-managed" encryption and I think the software is called Dell Encryption Key Manager.
HP MSL series has the "MSL Encryption Kit"

These are just two vendors that I happen to know their solutions off the top of my head, but every major vendor I've seen has such an option, although the exact implementation differ, the overall idea is the same, to enable hardware level encryption on the device in an application transparent way.
brandon.patton
Novice
Posts: 7
Liked: 2 times
Joined: May 21, 2013 5:09 pm
Full Name: Brandon Patton
Location: Indiana
Contact:

Re: v7 Tape Encryption

Post by brandon.patton »

I wasn't even aware that Dell had something like. Going to check it out!
--
Brandon Patton
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: v7 Tape Encryption

Post by tsightler »

Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.
brandon.patton
Novice
Posts: 7
Liked: 2 times
Joined: May 21, 2013 5:09 pm
Full Name: Brandon Patton
Location: Indiana
Contact:

Re: v7 Tape Encryption

Post by brandon.patton »

tsightler wrote:Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.
Trying to find the solution (having difficulty getting good info) - but it appears that the Dell encryption method (EKM) requires us to have a TL or ML system - we simply have a standalone drive in a PowerVault chassis. So since we're not as a library, don't think this solution will work.

Looks like we're going to be keeping Symantec around for awhile yet. *shrug*
--
Brandon Patton
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: v7 Tape Encryption

Post by tsightler »

Ah, I didn't know you didn't have a library.
dualdj1
Enthusiast
Posts: 47
Liked: 4 times
Joined: Feb 05, 2013 6:56 pm
Full Name: Jason K. Brandt
Contact:

[MERGED] : Feature Request - Tape Encryption

Post by dualdj1 »

A suggestion/request for a future release, would be some form of at least basic encryption on what's written to tape, to please the regulators out there. A good crypt of some sort would be ideal :)

Thanks!
foggy
Veeam Software
Posts: 21138
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Feature Request - Tape Encryption

Post by foggy » 1 person likes this post

Jason, thanks for the feedback. Already on our short-term list.

Please be aware that you have the ability to use hardware-based encryption provided by the library.
dualdj1
Enthusiast
Posts: 47
Liked: 4 times
Joined: Feb 05, 2013 6:56 pm
Full Name: Jason K. Brandt
Contact:

Re: v7 Tape Encryption

Post by dualdj1 »

Thanks for merging, I didn't see the existing topic. I will check into our library, to see if it supports hardware based encryption. Thanks for the suggestion.
hmusa
Influencer
Posts: 11
Liked: never
Joined: May 31, 2011 10:21 pm
Full Name: Thomas Moy
Contact:

Re: v7 Tape Encryption

Post by hmusa »

Just getting my feet wet with v7 Tape functionality, and found this thread. I'm probably in the minority here, small shop, using Retrospect, which I went to in rebellion from BackupExec a decade ago. I'm not using its file to tape functionality now, just using it to backup Veeam files. It does encrypted backups though.

So, regarding plans... I'd love to move away from tapes altogether... setting up a secondary LAN and a WAN repository. How taboo is breaking the 3-2-1 rule ? :shock:

-- Tom
brandon.patton wrote:So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?
peterfon
Lurker
Posts: 2
Liked: never
Joined: Oct 16, 2013 6:58 am
Contact:

Re: Feature Request - Tape Encryption

Post by peterfon »

foggy wrote:Jason, thanks for the feedback. Already on our short-term list.

Please be aware that you have the ability to use hardware-based encryption provided by the library.
How short-term is short-term?

We are in the process of switching our servers from Windows 2003 to Hyper-V Windows 2012 r2 however our backups must be encrypted. Our hardware doesn't support hardware encryption so that leaves us in a position where by Veeam is simply a non-starter.

Granted we aren't the biggest but we do have 14 sockets that we would be looking to license at enterprise plus which is £20k worth of licensing fees (probably a very good start towards the developmental costs for this feature). Just wanted to point out that while the existing users are raising the issue it is also putting off potential buyers which is costing you sales. I'm sure I am not the only one out there who simply can't purchase Veeam without encryption.
veremin
Product Manager
Posts: 20400
Liked: 2298 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: v7 Tape Encryption

Post by veremin »

I understand your concern. But for now I can only say that tape encryption is on our feature list. We will publish more information regarding tape encryption as soon as we have some. As long as you’re present on the forum, you won’t miss it. So, stay tuned.

Thanks.
peterfon
Lurker
Posts: 2
Liked: never
Joined: Oct 16, 2013 6:58 am
Contact:

Re: v7 Tape Encryption

Post by peterfon »

Thanks for the response. Is there any general time scales 1-3 months, 3-6 months, 6 months+.

We can wait 1-3 months but if it is likely to be longer than that the we will have to find another solution.
Gostev
Chief Product Officer
Posts: 31803
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: v7 Tape Encryption

Post by Gostev »

I can say that it is definitely not going to be available in the next 1-3 months.
gmorris
Enthusiast
Posts: 27
Liked: never
Joined: Jun 06, 2009 2:46 am
Full Name: Glen Morris
Contact:

Re: v7 Tape Encryption

Post by gmorris »

I am in the same boat and would like to not have to use Symantec Backup Exec but we also need Tape Encryption and the Encryption builtin to Backup Exec works very nice and is seamless to use, in DR you just have to know the passphrase and you can decrypt the tape no other server needed. We use an IBM TS3100 Tape Library and configuring encryption is as easy as setting the library to application controlled Encryption, and then creating the Encryption key in Backup Exec. I would suggest trying to make Veeam tape encryption work simalar as this is very nice to work with.
Dima P.
Product Manager
Posts: 14716
Liked: 1702 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: v7 Tape Encryption

Post by Dima P. »

Glen,
Thank you for describing your scenario! This DR site tape library is remotely connected to your main site or it is connected to standalone BE media server?
gmorris
Enthusiast
Posts: 27
Liked: never
Joined: Jun 06, 2009 2:46 am
Full Name: Glen Morris
Contact:

Re: v7 Tape Encryption

Post by gmorris »

At DR the library is connected to a standalone backup server with no connectivity to the main site.
Dima P.
Product Manager
Posts: 14716
Liked: 1702 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: v7 Tape Encryption

Post by Dima P. »

Glen,
Thank you for clarification. Yes, such scenario would be supported by the upcomming encryption feature.
dualdj1
Enthusiast
Posts: 47
Liked: 4 times
Joined: Feb 05, 2013 6:56 pm
Full Name: Jason K. Brandt
Contact:

Re: v7 Tape Encryption

Post by dualdj1 »

We decided to use the hardware encryption capability of our library, and it's been working great. It would still be nice to see the software option as well, though.
veremin
Product Manager
Posts: 20400
Liked: 2298 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: v7 Tape Encryption

Post by veremin »

Hi, Jason,

As mentioned above, we’re working on delivering this feature in one of the next product releases. Thanks.
gmorris
Enthusiast
Posts: 27
Liked: never
Joined: Jun 06, 2009 2:46 am
Full Name: Glen Morris
Contact:

Re: v7 Tape Encryption

Post by gmorris »

I just want to clairify that the tape library is doing the encryption [hardware encryption] it is just controlled by the application [ Symantec or Veeam in this case]
nunciate
Veteran
Posts: 257
Liked: 40 times
Joined: May 21, 2013 9:08 pm
Full Name: Alan Wells
Contact:

Re: v7 Tape Encryption

Post by nunciate »

I have a Quantum Scalar i80 tape library with 4 LTO6 FC drives. We use encryption through Quantum Scalar Key Manager servers. This is a Quantum solution which uses 2 VMs (primary & backup) to manage all of the encryption keys. The libraries are configured to talk directly to those key managers and the backup software doesn't know anything about it. Of course this is an extra feature that you have to purchase from Quantum. You have to buy the SKM VM package and the license for the library.

I have been backing up to tape via Veeam for a month now and my tapes all show encrypted from the Quantum library. Restores of Veeam files works just fine as well.
Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests