Encryption Tape Mechanism

[dnicollier]

Hello,

I have questions about the tape encryption.

For audit purpose i need to validate the encryption on the tape, what this the procedure to show this to an auditor ?

When restore a veeam backup from a tape (vbk file), he does not ask for the encryption password, How to set this paramater to always ask for the password ?

Thanks for your support and help

[Shestakov]

Hello and welcome to the forums!
Encryption for tapes is set not in the job, but at the mediapools.
Have you enabled it there?
Thanks!

[dnicollier]

Yes, it was enabled

But you know auditor... we need to prove that the tape is really encrypted.

And for the password do you have an idea ?

[Shestakov]

To check that the tape is encrypted, you can deploy another server and import the tape there. If you try to restore there, the password will be asked.
It`s not asked on the same server by design.
Thanks!

[Dima P.]

If its software encryption with the password set in Veeam B&R (while hardware encryption is not enabled in the tape library) you could remove the encryption password used for tapes and then load the encrypted media back. I assume the password should be promoted upon cataloging the tape media.

Please test my assumption first on non-production media with non-production encryption password.

[A.Lamsdell]

Hi Guys,

Currently encrypting all media pools with encryption keys and I need to confirm that they are working. If I edit a key to something else or remove it then, to my knowledge, the tape should not catalogue or be readable by that veeam server as it has not got the correct keys.

So far it seems to catalogue tapes and recover files.

Anything I might be missing at a basic user level before I run off to support?

[Shestakov]

Hi Antony,
Please try one of the methods suggested above.
By the way, do you use hardware or software encryption?
Thanks

[A.Lamsdell]

Hi Shestakov,

I am unsure if the tape silo supports hardware encryption or not (TL2000, I'll look it up and provide a full response when my work load permits) but I assume it'll default to hardware if it has it or software if it doesn't.

So reading this it looks like Veeam automatically manages the encryption keys. If I remove a key from the media pool or edit it will the encryption key be maintained in the job metadata for that tape to auto unlock it when accessed? I've removed encryption keys from the server and it's all been accessible. I'll see what I can do about redeploying the tape silo to a new veeam server to test it out.

[lyapkost]

Hi. In case you are using software encryption and don't want to deploy another server as suggested above, you can do the following: a) remove encryption from media pool; b) mark tapes in this media pool as free (do not erase!) c) delete password used to encrypt the media pool with Password Manager; d) catalog tapes. You will see warning telling that the password needs to be provided (right click on the tape - 'specify password'). So recovery is impossible until tapes are being decrypted.

[A.Lamsdell]

Thanks Lyapkost, tested and confirmed working in a couple of minutes!

Much Appreciated

[rreed]

Do we have an update to this by any chance, please? Which method did you use?

[veremin]

Feel free to use the approach described by Konstantin. It should be enough to confirm encryption operability. Thanks.