v7 Tape Encryption

Everything about backing up to tape

v7 Tape Encryption

Veeam Logoby brandon.patton » Fri Aug 09, 2013 2:02 pm

Hello All,

I see there is a breakout for tape related topics here, so figure we'd start the ball rolling with the talk of encryption. I realize there are several forums of customers and support going back and forth, but figure this discussion still needs to be ongoing and in one spot.

Like most people that I've read in this forum, we too use BackupExec for the sole purpose of transferring Veeam backup files to tape. We absolutely hate it, which is one reason why we have been eagerly awaiting the arrival of v7. Unfortunately though, our policies with our customers and vendors require that the tapes are encrypted. As Veeam is unable to provide encryption support (as encryption must be transparent to Veeam) at this time, that leaves a gap for people still wanting to take advantage of Veeam's tape support, but also find a way to encrypt the information.

*Note to Veeam - I'm thinking rather than doing the encryption within Veeam, which makes you responsible for handling the encryption, just having a way to pass the encryption key and strength to the tape drivers would suffice for most of us. Could be wrong and maybe that is a more difficult way of doing things.

So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?

Just looking to see what other people have tried or plan to try once v7 hits the shelf. We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).
--
Brandon Patton
brandon.patton
Novice
 
Posts: 7
Liked: 2 times
Joined: Tue May 21, 2013 5:09 pm
Location: Indiana
Full Name: Brandon Patton

Re: v7 Tape Encryption

Veeam Logoby v.Eremin » Fri Aug 09, 2013 2:22 pm

We are at least going to try the 7zip idea, and are actively researching to what utilities are available for our tape drive (Dell LTO6).

Hi, Brandon.

One potential issue I can see with using 7-zip is that in this case you will be tied to a “file to tape” job and, it, in its turn, results in the lack of tracking mechanism - you won’t know on which tape medias particular VMs reside on, what medias are required in order to restore certain VM, etc.

Thanks.
v.Eremin
Veeam Software
 
Posts: 13266
Liked: 968 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: v7 Tape Encryption

Veeam Logoby Gostev » Fri Aug 09, 2013 3:12 pm

Hi Brandon, does your tape device support native encryption? Is it possible to turn this off in the device settings? My knowledge around how various tape device implement control around native tape encryption is limited, but from what I heard you can simply enable that in the device settings most of the times. Thanks!
Gostev
Veeam Software
 
Posts: 21390
Liked: 2349 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: v7 Tape Encryption

Veeam Logoby tsightler » Fri Aug 09, 2013 3:37 pm

LTO devices that support encryption do so using the SCSI T10 extensions. This allows for the exchange of keys between the host system key management and the device. Most vendors provide options for managing this encryption outside of Veeam, typically in combination with a simple key management systems running on the host. System or library managed encryption is generally an extra cost option for a tape library, but this is going to be the best option if you require encryption support with V7. Some vendors include this basic functionality when you purchase a tape device with hardware encryption capabilities.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: v7 Tape Encryption

Veeam Logoby brandon.patton » Fri Aug 09, 2013 5:17 pm

Hi all,

In my case, all of our encryption is currently controlled by BackupExec (as far as me telling BackupExec that I want it to use the drive encryption). The tape drive does support hardware encryption, but I've never figured out any utility or method to actually talk to the tape itself, other than through BackupExec.

From the sounds of it, sounds like there are options out there, just a matter of hunting. Cool!
--
Brandon Patton
brandon.patton
Novice
 
Posts: 7
Liked: 2 times
Joined: Tue May 21, 2013 5:09 pm
Location: Indiana
Full Name: Brandon Patton

Re: v7 Tape Encryption

Veeam Logoby tsightler » Fri Aug 09, 2013 7:01 pm

Yes, pretty much every vendor has their own separate application that can manage the encryption independent of the actual backup software. The biggest "con" to this approach is that it's pretty much all or nothing, you encrypt the entire tape or you don't encrypt at all, while with the application, you can pick on a "per-job" basis to only encrypt for data that requires it. I don't really see this as much of a con, but I guess it could be.

Dell refers to this as "library-managed" encryption and I think the software is called Dell Encryption Key Manager.
HP MSL series has the "MSL Encryption Kit"

These are just two vendors that I happen to know their solutions off the top of my head, but every major vendor I've seen has such an option, although the exact implementation differ, the overall idea is the same, to enable hardware level encryption on the device in an application transparent way.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: v7 Tape Encryption

Veeam Logoby brandon.patton » Sat Aug 10, 2013 1:31 am

I wasn't even aware that Dell had something like. Going to check it out!
--
Brandon Patton
brandon.patton
Novice
 
Posts: 7
Liked: 2 times
Joined: Tue May 21, 2013 5:09 pm
Location: Indiana
Full Name: Brandon Patton

Re: v7 Tape Encryption

Veeam Logoby tsightler » Sat Aug 10, 2013 2:32 am

Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: v7 Tape Encryption

Veeam Logoby brandon.patton » Fri Aug 16, 2013 4:04 pm

tsightler wrote:Let me know if you have issues finding it but they have pretty decent information on their web site and should have support for all current generation libraries with LTO4, 5, & 6 on the TL and ML series. Basically you enable the library managed encryption option on the library via a key, and install EKM (OK, that's a simplified version, but it's not terribly complex). The EKM server can support multiple libraries so that tapes can be easily moved between libraries so it's a pretty decent solution. Let us know what you find out.


Trying to find the solution (having difficulty getting good info) - but it appears that the Dell encryption method (EKM) requires us to have a TL or ML system - we simply have a standalone drive in a PowerVault chassis. So since we're not as a library, don't think this solution will work.

Looks like we're going to be keeping Symantec around for awhile yet. *shrug*
--
Brandon Patton
brandon.patton
Novice
 
Posts: 7
Liked: 2 times
Joined: Tue May 21, 2013 5:09 pm
Location: Indiana
Full Name: Brandon Patton

Re: v7 Tape Encryption

Veeam Logoby tsightler » Fri Aug 16, 2013 4:47 pm

Ah, I didn't know you didn't have a library.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

[MERGED] : Feature Request - Tape Encryption

Veeam Logoby dualdj1 » Fri Sep 13, 2013 2:39 am

A suggestion/request for a future release, would be some form of at least basic encryption on what's written to tape, to please the regulators out there. A good crypt of some sort would be ideal :)

Thanks!
dualdj1
Enthusiast
 
Posts: 43
Liked: 4 times
Joined: Tue Feb 05, 2013 6:56 pm
Full Name: Jason K. Brandt

Re: Feature Request - Tape Encryption

Veeam Logoby foggy » Fri Sep 13, 2013 6:41 am 1 person likes this post

Jason, thanks for the feedback. Already on our short-term list.

Please be aware that you have the ability to use hardware-based encryption provided by the library.
foggy
Veeam Software
 
Posts: 14742
Liked: 1079 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: v7 Tape Encryption

Veeam Logoby dualdj1 » Mon Sep 16, 2013 3:58 pm

Thanks for merging, I didn't see the existing topic. I will check into our library, to see if it supports hardware based encryption. Thanks for the suggestion.
dualdj1
Enthusiast
 
Posts: 43
Liked: 4 times
Joined: Tue Feb 05, 2013 6:56 pm
Full Name: Jason K. Brandt

Re: v7 Tape Encryption

Veeam Logoby hmusa » Tue Oct 08, 2013 5:20 pm

Just getting my feet wet with v7 Tape functionality, and found this thread. I'm probably in the minority here, small shop, using Retrospect, which I went to in rebellion from BackupExec a decade ago. I'm not using its file to tape functionality now, just using it to backup Veeam files. It does encrypted backups though.

So, regarding plans... I'd love to move away from tapes altogether... setting up a secondary LAN and a WAN repository. How taboo is breaking the 3-2-1 rule ? :shock:

-- Tom

brandon.patton wrote:So fellow customers, who have to have encrypted tapes, what are your plans once v7 drops? I've heard people trying everything from using 7zip (compression turned off) to encrypt the backup files once they are complete to some people resorting to just sticking around with BackupExec (yuck). Anyone had any luck using a given utility to activate encryption on their drive full time?
hmusa
Influencer
 
Posts: 11
Liked: never
Joined: Tue May 31, 2011 10:21 pm
Full Name: Thomas Moy

Re: Feature Request - Tape Encryption

Veeam Logoby peterfon » Wed Oct 16, 2013 7:18 am

foggy wrote:Jason, thanks for the feedback. Already on our short-term list.

Please be aware that you have the ability to use hardware-based encryption provided by the library.


How short-term is short-term?

We are in the process of switching our servers from Windows 2003 to Hyper-V Windows 2012 r2 however our backups must be encrypted. Our hardware doesn't support hardware encryption so that leaves us in a position where by Veeam is simply a non-starter.

Granted we aren't the biggest but we do have 14 sockets that we would be looking to license at enterprise plus which is £20k worth of licensing fees (probably a very good start towards the developmental costs for this feature). Just wanted to point out that while the existing users are raising the issue it is also putting off potential buyers which is costing you sales. I'm sure I am not the only one out there who simply can't purchase Veeam without encryption.
peterfon
Lurker
 
Posts: 2
Liked: never
Joined: Wed Oct 16, 2013 6:58 am

Next

Return to Tape



Who is online

Users browsing this forum: Google [Bot] and 8 guests