IBM TS3200 and hardware encryption

[skrause]

Hi,

I have seen a number of posts where customers mention that they are running IBM TS3200 etc libraries and I wanted to pick their brains on how they have encryption set up in their environments.

Currently, we have a TS3200 LT05 library connected to our Veeam Repository server where the files that will go to tape all live. We did not purchase the hardware encryption license with the library but are looking into it now due to poor performance with software encryption.

My question really comes down to how customers that use IBM tape libraries with the hardware encryption handle their keys. Do you use the IBM/Tivoli Key Lifecycle Manager application to do System/Library managed encryption or are you able to manage the keys used by the library inside of Veeam?

Any insight into how other users of IBM libraries handle encryption would be awesome since IBM's documentation really only mentions TSM (of course).

Thanks!

[veremin]

Do you use the IBM/Tivoli Key Lifecycle Manager application to do System/Library managed encryption or are you able to manage the keys used by the library inside of Veeam?

VB&R is not aware of key specified on device level. So, in this case device manufacturer tools have to be used in order to orchestrate encryption.

We did not purchase the hardware encryption license with the library but are looking into it now due to poor performance with software encryption.

Can you shed a light on your experience with software encryption? I'm wondering what type of encryption is meant here. Backup file encryption or media pool one?

Thanks.

[skrause]

Media pool encryption.

I can run a job using a non-encrypted media pool and get an average throughput of about 120 MB/sec, when I use an encrypted media pool I get an average throughput of no better than 55 MB/sec.

If the backup files are encrypted, will they stay encrypted on the tape (even after the transforms etc happen as part of the tape job?)

We are required to encrypt all data that is put on tape.

[skrause]

So I did a quick check of our older TS3200 libraries that were used for BackupExec and they actually had the hardware encryption licenses.

I was able to snag one for a test and attach it to my Veeam tape server and run my test job again.

It looks like Veeam is able to pass the encryption key to the tape drive and my job is running at 110 MB/s average (the same as when the test was unencrypted.)

If IBMs documentation had not made it sound like you had to buy their silly Key Management suite to use hardware encryption at all, I would have figured this out a while ago.

[Dima P.]

If the backup files are encrypted, will they stay encrypted on the tape (even after the transforms etc happen as part of the tape job?)

Yes, there is no need to use the tape encryption if you have a backup to disk encryption enabled. It literary means doing the same job twice.

It looks like Veeam is able to pass the encryption key to the tape drive and my job is running at 110 MB/s average (the same as when the test was unencrypted.)

If device is configured for hardware encryption – Veeam B&R passes all the key management to the library itself. If the hardware encryption is not supported – software encryption is used instead, where the encryption key management happens on the VBR’s end. More details: Tape Job Encryption