v7 Tape Encryption

[brandon.patton]

Hello All,

I see there is a breakout for tape related topics here, so figure we'd start the ball rolling with the talk of encryption. I realize there are several forums of customers and support going back and forth, but figure this discussion still needs to be ongoing and in one spot.

Like most people that I've read in this forum, we too use BackupExec for the sole purpose of transferring Veeam backup files to tape. We absolutely hate it, which is one reason why we have been eagerly awaiting the arrival of v7. Unfortunately though, our policies with our customers and vendors require that the tapes are encrypted. As Veeam is unable to provide encryption support (as encryption must be transparent to Veeam) at this time, that leaves a gap for people still wanting to take advantage of Veeam's tape support, but also find a way to encrypt the information.

*Note to Veeam - I'm thinking rather than doing the encryption within Veeam, which makes you responsible for handling the encryption, just having a way to pass the encryption key and strength to the tape drivers would suffice for most of us. Could be wrong and maybe that is a more difficult way of doing things.

So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?

Just looking to see what other people have tried or plan to try once v7 hits the shelf. We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).

[veremin]

We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).

Hi, Brandon.

One potential issue I can see with using 7-zip is that in this case you will be tied to a “file to tape” job and, it, in its turn, results in the lack of tracking mechanism - you won’t know on which tape medias particular VMs reside on, what medias are required in order to restore certain VM, etc.

Thanks.

[Gostev]

Hi Brandon, does your tape device support native encryption? Is it possible to turn this off in the device settings? My knowledge around how various tape device implement control around native tape encryption is limited, but from what I heard you can simply enable that in the device settings most of the times. Thanks!

[tsightler]

LTO devices that support encryption do so using the SCSI T10 extensions. This allows for the exchange of keys between the host system key management and the device. Most vendors provide options for managing this encryption outside of Veeam, typically in combination with a simple key management systems running on the host. System or library managed encryption is generally an extra cost option for a tape library, but this is going to be the best option if you require encryption support with V7. Some vendors include this basic functionality when you purchase a tape device with hardware encryption capabilities.

[brandon.patton]

Hi all,

In my case, all of our encryption is currently controlled by BackupExec (as far as me telling BackupExec that I want it to use the drive encryption). The tape drive does support hardware encryption, but I've never figured out any utility or method to actually talk to the tape itself, other than through BackupExec.

From the sounds of it, sounds like there are options out there, just a matter of hunting. Cool!

[tsightler]

Yes, pretty much every vendor has their own separate application that can manage the encryption independent of the actual backup software. The biggest "con" to this approach is that it's pretty much all or nothing, you encrypt the entire tape or you don't encrypt at all, while with the application, you can pick on a "per-job" basis to only encrypt for data that requires it. I don't really see this as much of a con, but I guess it could be.

Dell refers to this as "library-managed" encryption and I think the software is called Dell Encryption Key Manager.
HP MSL series has the "MSL Encryption Kit"

These are just two vendors that I happen to know their solutions off the top of my head, but every major vendor I've seen has such an option, although the exact implementation differ, the overall idea is the same, to enable hardware level encryption on the device in an application transparent way.

[brandon.patton]

I wasn't even aware that Dell had something like. Going to check it out!

[tsightler]

Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.

[brandon.patton]

Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.

Trying to find the solution (having difficulty getting good info) - but it appears that the Dell encryption method (EKM) requires us to have a TL or ML system - we simply have a standalone drive in a PowerVault chassis. So since we're not as a library, don't think this solution will work.

Looks like we're going to be keeping Symantec around for awhile yet. *shrug*

[tsightler]

Ah, I didn't know you didn't have a library.

[dualdj1]

A suggestion/request for a future release, would be some form of at least basic encryption on what's written to tape, to please the regulators out there. A good crypt of some sort would be ideal

Thanks!

[foggy]

Jason, thanks for the feedback. Already on our short-term list.

Please be aware that you have the ability to use hardware-based encryption provided by the library.

[dualdj1]

Thanks for merging, I didn't see the existing topic. I will check into our library, to see if it supports hardware based encryption. Thanks for the suggestion.

[hmusa]

Just getting my feet wet with v7 Tape functionality, and found this thread. I'm probably in the minority here, small shop, using Retrospect, which I went to in rebellion from BackupExec a decade ago. I'm not using its file to tape functionality now, just using it to backup Veeam files. It does encrypted backups though.

So, regarding plans... I'd love to move away from tapes altogether... setting up a secondary LAN and a WAN repository. How taboo is breaking the 3-2-1 rule ?

-- Tom

So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?

[peterfon]

Jason, thanks for the feedback. Already on our short-term list.

Please be aware that you have the ability to use hardware-based encryption provided by the library.

How short-term is short-term?

We are in the process of switching our servers from Windows 2003 to Hyper-V Windows 2012 r2 however our backups must be encrypted. Our hardware doesn't support hardware encryption so that leaves us in a position where by Veeam is simply a non-starter.

Granted we aren't the biggest but we do have 14 sockets that we would be looking to license at enterprise plus which is £20k worth of licensing fees (probably a very good start towards the developmental costs for this feature). Just wanted to point out that while the existing users are raising the issue it is also putting off potential buyers which is costing you sales. I'm sure I am not the only one out there who simply can't purchase Veeam without encryption.

[veremin]

I understand your concern. But for now I can only say that tape encryption is on our feature list. We will publish more information regarding tape encryption as soon as we have some. As long as you’re present on the forum, you won’t miss it. So, stay tuned.

Thanks.

[peterfon]

Thanks for the response. Is there any general time scales 1-3 months, 3-6 months, 6 months+.

We can wait 1-3 months but if it is likely to be longer than that the we will have to find another solution.

[Gostev]

I can say that it is definitely not going to be available in the next 1-3 months.

[gmorris]

I am in the same boat and would like to not have to use Symantec Backup Exec but we also need Tape Encryption and the Encryption builtin to Backup Exec works very nice and is seamless to use, in DR you just have to know the passphrase and you can decrypt the tape no other server needed. We use an IBM TS3100 Tape Library and configuring encryption is as easy as setting the library to application controlled Encryption, and then creating the Encryption key in Backup Exec. I would suggest trying to make Veeam tape encryption work simalar as this is very nice to work with.

[Dima P.]

Glen,
Thank you for describing your scenario! This DR site tape library is remotely connected to your main site or it is connected to standalone BE media server?

[gmorris]

At DR the library is connected to a standalone backup server with no connectivity to the main site.

[Dima P.]

Glen,
Thank you for clarification. Yes, such scenario would be supported by the upcomming encryption feature.

[dualdj1]

We decided to use the hardware encryption capability of our library, and it's been working great. It would still be nice to see the software option as well, though.

[veremin]

Hi, Jason,

As mentioned above, we’re working on delivering this feature in one of the next product releases. Thanks.

[gmorris]

I just want to clairify that the tape library is doing the encryption [hardware encryption] it is just controlled by the application [ Symantec or Veeam in this case]

[nunciate]

I have a Quantum Scalar i80 tape library with 4 LTO6 FC drives. We use encryption through Quantum Scalar Key Manager servers. This is a Quantum solution which uses 2 VMs (primary & backup) to manage all of the encryption keys. The libraries are configured to talk directly to those key managers and the backup software doesn't know anything about it. Of course this is an extra feature that you have to purchase from Quantum. You have to buy the SKM VM package and the license for the library.

I have been backing up to tape via Veeam for a month now and my tapes all show encrypted from the Quantum library. Restores of Veeam files works just fine as well.