Solved

Restoring encrypted PowerVault TL4000 backups on other tape drives - any experience

Posted on 2009-05-15
4
905 Views
Last Modified: 2013-12-01
Hi there,

I have a Powervault TL4000 which I'm about to enable the hardware encryption module on. We use BackupExec 12 to perform the backups, and are using the encryption facilities in that to management the process.

My question is this: If the TL4000 was broken, or not available due to a disaster, is it possible to retrieve data from encrypted tapes on another device? Of course I would have the encryption key, but does the TL4000 add something extra to the process that stops this happening?

The manuals and Symantec's support don't seem to help much with this! A lot of information is contradictory, and finding the reality is a bit difficult.

Thanks,
Steve


0
Comment
Question by:dazzab30
  • 2
4 Comments
 
LVL 22

Accepted Solution

by:
dovidmichel earned 125 total points
ID: 24395739
As per the LTO standard any LTO4 with hardware encryption should be able to read the data. But for something like this I would recommend sticking with either a Dell or IBM LTO4.

Dell has someone else (IBM) make their LTO tape drives for them. The only change is in the firmware Inquiry string so it reports itself as a Dell.
0
 

Author Comment

by:dazzab30
ID: 24397074
Thanks for response.

I'm still not clear on whether these encrypted tapes could be restored though. I've got Dell technical support and our off-site tape storage company trying find out.
0
 

Author Comment

by:dazzab30
ID: 24409961
Points increase to encourage some more interest!
0
 
LVL 20

Assisted Solution

by:SelfGovern
SelfGovern earned 125 total points
ID: 24428413
Who manages the keys?   That's the most important question.   *IF* your backup application creates and manages the keys, then you will be able to restore tapes using any encryption-supporting LTO-4 drive attached to that backup application.

The caveats are:
1. The tape drive has to support HW encryption.  I understand that some IBM LTO-4 don't (the SCSI versions?), while all HP LTO-4 (for instance), do.
2. MOST IMPORTANT: You must back up the key database through a process APART FROM your normal backups.  Store those keys in an encrypted file, multiple copies to different media, preferably, that is NOT backed up using the backup software's encryption tools.  If you back up to CD, use ARCHIVAL QUALITY media ONLY.  
3. If you use a key manager other than the backup application, then you will have to restore on a device that your key manager supports... this is the weakness in key management today: interoperability of key managers is... er... "lacking".  But they're working on it.

I know that the above is true, because I have written and delivered a lab on encryption where we used HP Data Protector to generate keys for LTO-4 HW encryption on an HP-manufactured drive, and then took that encrypted tape, put it in to a Quantum library with an IBM-manufactured drive, and successfully decrypted it.

Encryption interoperability is part of the LTO standard... but DO be aware of key management, DO keep sepatate copies of your keys, and DO test your restore procedures.   Perhaps you can find another site that uses LTO-4 software-managed keys and mutually test your restores just to be sure.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Having issues meeting security compliance criteria because of those pesky USB drives? Then I can help you! This article will explain how to disable USB Mass Storage devices in Windows Server 2008 R2.
This article is an update and follow-up of my previous article:   Storage 101: common concepts in the IT enterprise storage This time, I expand on more frequently used storage concepts.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now