To eject, or not to eject...

[Novox]

I'm currently backing up daily to a tape with a tape pool configured to "Do not create [Media Set], always continue using current media set" and "Never overwrite data" (effectively writing to the tape until the tape is full, all the time).

Ejecting tapes after backup jobs is a "best practice" as mentioned in the job "Options." However most of the time, my daily tape jobs need to write to the same tape.

I see two options:

• "Eject media upon job completion" where most days I will literally just push the tape back into the drive. This has the added benefit of an actual airgap most of the time (while the tape is ejected, it would be impossible to maliciously erase). However, every day there is a physical mount/unmount-eject operation.

OR

• Do not "Eject media upon job completion" where most days I wouldn't need to do anything. This does not have the benefit of an airgap and the tape remains mounted in the drive until full.

First question: between the above options, purely with respect to physical wear on the tape and/or tape drive, which is worse:

• leaving a tape mounted in a tape drive (maybe there are issues with tension, head parking, etc)

OR

• the repeated act of loading and unloading a tape into a tape drive

Second question: having an airgap is subjective, but I wanted to get a sense from other Veeam Forum users what your thoughts are. Either way, the tape is not offsite, not protected from fire, etc... If ejected, as I said a malicious actor won't be able to destroy the tape. If left mounted, a malicious actor could gain access to the tape drive and wipe the tape's contents.

Thank you!

[soncscy]

Hey Novox,

I about spit out my whiskey on this:

>having an airgap is subjective

Don't misunderstand me as an over-reaction here, but I can't understand how airgap is subjective. You're conflating too many threat scenarios into a single one. Airgap protects you against ransomware that tries to erase tapes it finds and that should be the purpose of the protection. You vault your tapes with an insurance policy to protect against force majeure. Different protections against different things.

Maybe I'm being spoiled here, but most tape devices you get with a support contract, and once the drive stops working, the vendor replaces it as long as you keep the support going. Even without it, usually the drives themselves are worth the cost and you get your ROI in between drives.

It's a crappy numbers game for sure, but I would always eject the drive and store it in a safe box until the next tape run. Remember tape is archival, and while daily is great if you've got the tapes to toss around, I'd rather recover from 6 days ago (weekly) than start from scratch on my business/pay ransomware. The edge cases not protected by this must be cheaper than the cost of a tape drive.

[Dima P.]

Hi folks,

In my opinion eject is not required: if you are afraid of any attack that will access the software and start the erase, then what's the difference between tape in the drive and tape in the slot? Both are availed for tape software and Veeam B&R console, its just one extra step for the attacker to load ejected tapes into the drive.

If you need real airgap solution - media must be exported from the library to the tape shelf or safe where it sits still in the offline state

[Novox]

soncscy, when I said "having an airgap is subjective", I worded it poorly...

I meant that choosing to use an airgap vs. the effort to remember and manually re-insert, same-tapes, daily is a subjective choice. For some, it may not be worth it. For others, it seems it would definitely be worth it.

I completely agree an airgap is, objectively, a good thing.

It sounds like you are advocating FOR an airgap, regardless of the minutia of whether repeated load/unload cycles is detrimental to tapes or tape drives. Please let me know if I'm understanding you correctly.

Thank you!

[Novox]

Dima, I don't have a tape library. It's a standalone drive. Once a tape is ejected it cannot programmatically be re-inserted (it rests in the drive, partially hanging out, with no motors or moving parts to re-insert it). There is no "slot" to maliciously instruct the tape drive to load and then erase.

Does your opinion change after this clarification?

Thanks again!

[Dima P.]

Novox, yup, for the SA drive export and eject are the same.