IBM TS3200 and hardware encryption

Everything about backing up to tape

IBM TS3200 and hardware encryption

Veeam Logoby skrause » Tue Jul 21, 2015 7:00 pm

Hi,

I have seen a number of posts where customers mention that they are running IBM TS3200 etc libraries and I wanted to pick their brains on how they have encryption set up in their environments.

Currently, we have a TS3200 LT05 library connected to our Veeam Repository server where the files that will go to tape all live. We did not purchase the hardware encryption license with the library but are looking into it now due to poor performance with software encryption.

My question really comes down to how customers that use IBM tape libraries with the hardware encryption handle their keys. Do you use the IBM/Tivoli Key Lifecycle Manager application to do System/Library managed encryption or are you able to manage the keys used by the library inside of Veeam?

Any insight into how other users of IBM libraries handle encryption would be awesome since IBM's documentation really only mentions TSM (of course).

Thanks!
skrause
Expert
 
Posts: 296
Liked: 45 times
Joined: Mon Dec 08, 2014 2:58 pm
Full Name: Steve Krause

Re: IBM TS3200 and hardware encryption

Veeam Logoby v.Eremin » Wed Jul 22, 2015 5:42 am

Do you use the IBM/Tivoli Key Lifecycle Manager application to do System/Library managed encryption or are you able to manage the keys used by the library inside of Veeam?

VB&R is not aware of key specified on device level. So, in this case device manufacturer tools have to be used in order to orchestrate encryption.

We did not purchase the hardware encryption license with the library but are looking into it now due to poor performance with software encryption.

Can you shed a light on your experience with software encryption? I'm wondering what type of encryption is meant here. Backup file encryption or media pool one?

Thanks.
v.Eremin
Veeam Software
 
Posts: 13288
Liked: 971 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: IBM TS3200 and hardware encryption

Veeam Logoby skrause » Wed Jul 22, 2015 1:19 pm

Media pool encryption.

I can run a job using a non-encrypted media pool and get an average throughput of about 120 MB/sec, when I use an encrypted media pool I get an average throughput of no better than 55 MB/sec.

If the backup files are encrypted, will they stay encrypted on the tape (even after the transforms etc happen as part of the tape job?)

We are required to encrypt all data that is put on tape.
Steve Krause
Veeam Certified Architect
skrause
Expert
 
Posts: 296
Liked: 45 times
Joined: Mon Dec 08, 2014 2:58 pm
Full Name: Steve Krause

Re: IBM TS3200 and hardware encryption

Veeam Logoby skrause » Wed Jul 22, 2015 2:48 pm

So I did a quick check of our older TS3200 libraries that were used for BackupExec and they actually had the hardware encryption licenses.

I was able to snag one for a test and attach it to my Veeam tape server and run my test job again.

It looks like Veeam is able to pass the encryption key to the tape drive and my job is running at 110 MB/s average (the same as when the test was unencrypted.)

If IBMs documentation had not made it sound like you had to buy their silly Key Management suite to use hardware encryption at all, I would have figured this out a while ago.
Steve Krause
Veeam Certified Architect
skrause
Expert
 
Posts: 296
Liked: 45 times
Joined: Mon Dec 08, 2014 2:58 pm
Full Name: Steve Krause

Re: IBM TS3200 and hardware encryption

Veeam Logoby Dima P. » Wed Jul 22, 2015 3:10 pm

If the backup files are encrypted, will they stay encrypted on the tape (even after the transforms etc happen as part of the tape job?)

Yes, there is no need to use the tape encryption if you have a backup to disk encryption enabled. It literary means doing the same job twice.
It looks like Veeam is able to pass the encryption key to the tape drive and my job is running at 110 MB/s average (the same as when the test was unencrypted.)

If device is configured for hardware encryption – Veeam B&R passes all the key management to the library itself. If the hardware encryption is not supported – software encryption is used instead, where the encryption key management happens on the VBR’s end. More details: Tape Job Encryption
Dima P.
Veeam Software
 
Posts: 6257
Liked: 440 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov


Return to Tape



Who is online

Users browsing this forum: No registered users and 15 guests