Solved

Restoring encrypted PowerVault TL4000 backups on other tape drives - any experience

Posted on 2009-05-15
4
939 Views
Last Modified: 2013-12-01
Hi there,

I have a Powervault TL4000 which I'm about to enable the hardware encryption module on. We use BackupExec 12 to perform the backups, and are using the encryption facilities in that to management the process.

My question is this: If the TL4000 was broken, or not available due to a disaster, is it possible to retrieve data from encrypted tapes on another device? Of course I would have the encryption key, but does the TL4000 add something extra to the process that stops this happening?

The manuals and Symantec's support don't seem to help much with this! A lot of information is contradictory, and finding the reality is a bit difficult.

Thanks,
Steve


0
Comment
Question by:dazzab30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 22

Accepted Solution

by:
dovidmichel earned 125 total points
ID: 24395739
As per the LTO standard any LTO4 with hardware encryption should be able to read the data. But for something like this I would recommend sticking with either a Dell or IBM LTO4.

Dell has someone else (IBM) make their LTO tape drives for them. The only change is in the firmware Inquiry string so it reports itself as a Dell.
0
 

Author Comment

by:dazzab30
ID: 24397074
Thanks for response.

I'm still not clear on whether these encrypted tapes could be restored though. I've got Dell technical support and our off-site tape storage company trying find out.
0
 

Author Comment

by:dazzab30
ID: 24409961
Points increase to encourage some more interest!
0
 
LVL 21

Assisted Solution

by:SelfGovern
SelfGovern earned 125 total points
ID: 24428413
Who manages the keys?   That's the most important question.   *IF* your backup application creates and manages the keys, then you will be able to restore tapes using any encryption-supporting LTO-4 drive attached to that backup application.

The caveats are:
1. The tape drive has to support HW encryption.  I understand that some IBM LTO-4 don't (the SCSI versions?), while all HP LTO-4 (for instance), do.
2. MOST IMPORTANT: You must back up the key database through a process APART FROM your normal backups.  Store those keys in an encrypted file, multiple copies to different media, preferably, that is NOT backed up using the backup software's encryption tools.  If you back up to CD, use ARCHIVAL QUALITY media ONLY.  
3. If you use a key manager other than the backup application, then you will have to restore on a device that your key manager supports... this is the weakness in key management today: interoperability of key managers is... er... "lacking".  But they're working on it.

I know that the above is true, because I have written and delivered a lab on encryption where we used HP Data Protector to generate keys for LTO-4 HW encryption on an HP-manufactured drive, and then took that encrypted tape, put it in to a Quantum library with an IBM-manufactured drive, and successfully decrypted it.

Encryption interoperability is part of the LTO standard... but DO be aware of key management, DO keep sepatate copies of your keys, and DO test your restore procedures.   Perhaps you can find another site that uses LTO-4 software-managed keys and mutually test your restores just to be sure.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question