Solved

Restoring encrypted PowerVault TL4000 backups on other tape drives - any experience

Posted on 2009-05-15
4
918 Views
Last Modified: 2013-12-01
Hi there,

I have a Powervault TL4000 which I'm about to enable the hardware encryption module on. We use BackupExec 12 to perform the backups, and are using the encryption facilities in that to management the process.

My question is this: If the TL4000 was broken, or not available due to a disaster, is it possible to retrieve data from encrypted tapes on another device? Of course I would have the encryption key, but does the TL4000 add something extra to the process that stops this happening?

The manuals and Symantec's support don't seem to help much with this! A lot of information is contradictory, and finding the reality is a bit difficult.

Thanks,
Steve


0
Comment
Question by:dazzab30
  • 2
4 Comments
 
LVL 22

Accepted Solution

by:
dovidmichel earned 125 total points
ID: 24395739
As per the LTO standard any LTO4 with hardware encryption should be able to read the data. But for something like this I would recommend sticking with either a Dell or IBM LTO4.

Dell has someone else (IBM) make their LTO tape drives for them. The only change is in the firmware Inquiry string so it reports itself as a Dell.
0
 

Author Comment

by:dazzab30
ID: 24397074
Thanks for response.

I'm still not clear on whether these encrypted tapes could be restored though. I've got Dell technical support and our off-site tape storage company trying find out.
0
 

Author Comment

by:dazzab30
ID: 24409961
Points increase to encourage some more interest!
0
 
LVL 20

Assisted Solution

by:SelfGovern
SelfGovern earned 125 total points
ID: 24428413
Who manages the keys?   That's the most important question.   *IF* your backup application creates and manages the keys, then you will be able to restore tapes using any encryption-supporting LTO-4 drive attached to that backup application.

The caveats are:
1. The tape drive has to support HW encryption.  I understand that some IBM LTO-4 don't (the SCSI versions?), while all HP LTO-4 (for instance), do.
2. MOST IMPORTANT: You must back up the key database through a process APART FROM your normal backups.  Store those keys in an encrypted file, multiple copies to different media, preferably, that is NOT backed up using the backup software's encryption tools.  If you back up to CD, use ARCHIVAL QUALITY media ONLY.  
3. If you use a key manager other than the backup application, then you will have to restore on a device that your key manager supports... this is the weakness in key management today: interoperability of key managers is... er... "lacking".  But they're working on it.

I know that the above is true, because I have written and delivered a lab on encryption where we used HP Data Protector to generate keys for LTO-4 HW encryption on an HP-manufactured drive, and then took that encrypted tape, put it in to a Quantum library with an IBM-manufactured drive, and successfully decrypted it.

Encryption interoperability is part of the LTO standard... but DO be aware of key management, DO keep sepatate copies of your keys, and DO test your restore procedures.   Perhaps you can find another site that uses LTO-4 software-managed keys and mutually test your restores just to be sure.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question