Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 968
  • Last Modified:

Restoring encrypted PowerVault TL4000 backups on other tape drives - any experience

Hi there,

I have a Powervault TL4000 which I'm about to enable the hardware encryption module on. We use BackupExec 12 to perform the backups, and are using the encryption facilities in that to management the process.

My question is this: If the TL4000 was broken, or not available due to a disaster, is it possible to retrieve data from encrypted tapes on another device? Of course I would have the encryption key, but does the TL4000 add something extra to the process that stops this happening?

The manuals and Symantec's support don't seem to help much with this! A lot of information is contradictory, and finding the reality is a bit difficult.

Thanks,
Steve


0
dazzab30
Asked:
dazzab30
  • 2
2 Solutions
 
dovidmichelCommented:
As per the LTO standard any LTO4 with hardware encryption should be able to read the data. But for something like this I would recommend sticking with either a Dell or IBM LTO4.

Dell has someone else (IBM) make their LTO tape drives for them. The only change is in the firmware Inquiry string so it reports itself as a Dell.
0
 
dazzab30Author Commented:
Thanks for response.

I'm still not clear on whether these encrypted tapes could be restored though. I've got Dell technical support and our off-site tape storage company trying find out.
0
 
dazzab30Author Commented:
Points increase to encourage some more interest!
0
 
SelfGovernCommented:
Who manages the keys?   That's the most important question.   *IF* your backup application creates and manages the keys, then you will be able to restore tapes using any encryption-supporting LTO-4 drive attached to that backup application.

The caveats are:
1. The tape drive has to support HW encryption.  I understand that some IBM LTO-4 don't (the SCSI versions?), while all HP LTO-4 (for instance), do.
2. MOST IMPORTANT: You must back up the key database through a process APART FROM your normal backups.  Store those keys in an encrypted file, multiple copies to different media, preferably, that is NOT backed up using the backup software's encryption tools.  If you back up to CD, use ARCHIVAL QUALITY media ONLY.  
3. If you use a key manager other than the backup application, then you will have to restore on a device that your key manager supports... this is the weakness in key management today: interoperability of key managers is... er... "lacking".  But they're working on it.

I know that the above is true, because I have written and delivered a lab on encryption where we used HP Data Protector to generate keys for LTO-4 HW encryption on an HP-manufactured drive, and then took that encrypted tape, put it in to a Quantum library with an IBM-manufactured drive, and successfully decrypted it.

Encryption interoperability is part of the LTO standard... but DO be aware of key management, DO keep sepatate copies of your keys, and DO test your restore procedures.   Perhaps you can find another site that uses LTO-4 software-managed keys and mutually test your restores just to be sure.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now