Encryption Tape Mechanism

Everything about backing up to tape

Encryption Tape Mechanism

Veeam Logoby dnicollier » Thu Oct 08, 2015 2:12 pm

Hello,

I have questions about the tape encryption.

For audit purpose i need to validate the encryption on the tape, what this the procedure to show this to an auditor ?

When restore a veeam backup from a tape (vbk file), he does not ask for the encryption password, How to set this paramater to always ask for the password ?

Thanks for your support and help
dnicollier
Lurker
 
Posts: 2
Liked: never
Joined: Thu Oct 08, 2015 2:04 pm

Re: Encryption Tape Mechanism

Veeam Logoby Shestakov » Thu Oct 08, 2015 2:23 pm

Hello and welcome to the forums!
Encryption for tapes is set not in the job, but at the mediapools.
Have you enabled it there?
Thanks!
Shestakov
Veeam Software
 
Posts: 4842
Liked: 393 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: Encryption Tape Mechanism

Veeam Logoby dnicollier » Thu Oct 08, 2015 2:41 pm

Yes, it was enabled

But you know auditor... we need to prove that the tape is really encrypted.

And for the password do you have an idea ?
dnicollier
Lurker
 
Posts: 2
Liked: never
Joined: Thu Oct 08, 2015 2:04 pm

Re: Encryption Tape Mechanism

Veeam Logoby Shestakov » Thu Oct 08, 2015 2:53 pm

To check that the tape is encrypted, you can deploy another server and import the tape there. If you try to restore there, the password will be asked.
It`s not asked on the same server by design.
Thanks!
Shestakov
Veeam Software
 
Posts: 4842
Liked: 393 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: Encryption Tape Mechanism

Veeam Logoby Dima P. » Sat Oct 10, 2015 10:14 pm

If its software encryption with the password set in Veeam B&R (while hardware encryption is not enabled in the tape library) you could remove the encryption password used for tapes and then load the encrypted media back. I assume the password should be promoted upon cataloging the tape media.

Please test my assumption first on non-production media with non-production encryption password.
Dima P.
Veeam Software
 
Posts: 6231
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

[MERGED] Unable to confirm tape encryption is working

Veeam Logoby A.Lamsdell » Thu Jun 16, 2016 10:22 am

Hi Guys,

Currently encrypting all media pools with encryption keys and I need to confirm that they are working. If I edit a key to something else or remove it then, to my knowledge, the tape should not catalogue or be readable by that veeam server as it has not got the correct keys.

So far it seems to catalogue tapes and recover files.

Anything I might be missing at a basic user level before I run off to support?
A.Lamsdell
Novice
 
Posts: 9
Liked: 2 times
Joined: Mon Feb 15, 2016 10:36 am
Full Name: Antony Lamsdell

Re: Encryption Tape Mechanism

Veeam Logoby Shestakov » Thu Jun 16, 2016 12:31 pm

Hi Antony,
Please try one of the methods suggested above.
By the way, do you use hardware or software encryption?
Thanks
Shestakov
Veeam Software
 
Posts: 4842
Liked: 393 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: Encryption Tape Mechanism

Veeam Logoby A.Lamsdell » Thu Jun 16, 2016 2:17 pm

Hi Shestakov,

I am unsure if the tape silo supports hardware encryption or not (TL2000, I'll look it up and provide a full response when my work load permits) but I assume it'll default to hardware if it has it or software if it doesn't.

So reading this it looks like Veeam automatically manages the encryption keys. If I remove a key from the media pool or edit it will the encryption key be maintained in the job metadata for that tape to auto unlock it when accessed? I've removed encryption keys from the server and it's all been accessible. I'll see what I can do about redeploying the tape silo to a new veeam server to test it out.
A.Lamsdell
Novice
 
Posts: 9
Liked: 2 times
Joined: Mon Feb 15, 2016 10:36 am
Full Name: Antony Lamsdell

Re: Encryption Tape Mechanism

Veeam Logoby lyapkost » Thu Jun 16, 2016 2:34 pm

Hi. In case you are using software encryption and don't want to deploy another server as suggested above, you can do the following: a) remove encryption from media pool; b) mark tapes in this media pool as free (do not erase!) c) delete password used to encrypt the media pool with Password Manager; d) catalog tapes. You will see warning telling that the password needs to be provided (right click on the tape - 'specify password'). So recovery is impossible until tapes are being decrypted.
lyapkost
Veeam Software
 
Posts: 76
Liked: 13 times
Joined: Fri Nov 27, 2015 2:26 pm
Location: Saint Petersburg
Full Name: Konstantin

Re: Encryption Tape Mechanism

Veeam Logoby A.Lamsdell » Thu Jun 16, 2016 3:26 pm

Thanks Lyapkost, tested and confirmed working in a couple of minutes!

Much Appreciated
A.Lamsdell
Novice
 
Posts: 9
Liked: 2 times
Joined: Mon Feb 15, 2016 10:36 am
Full Name: Antony Lamsdell

Re: Encryption Tape Mechanism

Veeam Logoby rreed » Mon Aug 08, 2016 9:21 pm

Do we have an update to this by any chance, please? Which method did you use?
VMware 6
Veeam B&R v9
Dell DR4100's
EMC DD2200's
EMC DD620's
Dell TL2000 via PE430 (SAS)
rreed
Expert
 
Posts: 354
Liked: 72 times
Joined: Tue Jun 30, 2015 6:06 pm

Re: Encryption Tape Mechanism

Veeam Logoby v.Eremin » Tue Aug 09, 2016 10:07 am

Feel free to use the approach described by Konstantin. It should be enough to confirm encryption operability. Thanks.
v.Eremin
Veeam Software
 
Posts: 13255
Liked: 968 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin


Return to Tape



Who is online

Users browsing this forum: No registered users and 6 guests