Backup Encryption

Hi,

We are using Symantec Backup Exec 2010 R3 and HP 1/8 G2 Autoloader for backup. We are doing Disk to Disk to Tape backup. I need to encrypt the backup taken to disk & as well as to tape. Which type of Encrytion should I use either Hardware or Software encryption? Which one is better & why?

Please advice.
sskay2000Asked:
Who is Participating?
 
Thomas RushCommented:
Most any backup application can perform software encryption -- that is, as part of the backup process, and before the backup job is written, the data is encrypted using a module in the backup application software.
Plusess: It works for any backup target (LTO-1, DAT, SDLT, disk, ...)
MInuses: Encryption is CPU intensive, and it may slow down your backup job
                  Since the data is encrypted when it gets to the tape drive, you will get no compression
                  Passphrase-generated keys won't be as secure as random keys
                  You *must* have processes to backup your encryption keys, else loss of the
                  backup server means you've lost all your backup data.
                 May require purchase of encryption module from backup app vendor

LTO-4 and LTO-5 drives from HP all support hardware encryption.  You provide the key, the drive does all the work with no loss of performance or compression. The key can be provided one of two ways:
1) Through the backup application (usually passphrase-generated)
Pluses: No additional load on backup server; tape drive HW does all the work
               No loss of compression since data is compressed, then encrypted, then written
               As long as you have the key or passphrase, you can restore that tape with that
               backup application from any tape drive that supports that tape cartridge
Minuses: Passphrase-generated keys won't be as secure as random keys
                  You *must* have processes to backup your encryption keys, else loss of the
                  backup server means you've lost all your backup data.
                 May require purchase of encryption module from backup app vendor
2) Through some sort of separate HW key manager or key generator such as the HP Encryption Kit for MSL libraries and 1/8 autoloader
Pluses: No additional load on backup server; tape drive HW does all the work
               No loss of compression since data is compressed, then encrypted, then written
               Generates random, and thus the most secure, keys
               Support for automatically generating new keys
               Harder to 'cheat' and turn encryption off
               Backup application blissfully unaware of encryption, no additional license needed
Minuses: You have to purchase the device ($2500(?) for the Encryption Kit, other solutions
                  likely more expensive
                  Still important to backup the keys!
                  Must be restored from hardware that supports the key gen device
-------------
I think that is a fairly complete list of pros and cons of each.
Note that you can encrypt your tape backups WITHOUT buying any new HW other than your LTO-4 or LTO-5 tape drive.
Hax1 is correct that a combination of one of the methods I've outlined for HW tape encryption and having the OS encrypt the disk partition would be best, particularly if your data is significantly compressible.
.
MSL Encryption Kit info in the QuickSpecs at
http://h18000.www1.hp.com/products/quickspecs/13258_div/13258_div.html#data_encryption
(Same kit works for MSL and 1/8 G2 autoloader)
0
 
hax1Commented:
Hardware encryption requires you to buy hardware, which has a cost - if you use software encryption, your CPU has to do the encrypting and decrypting, otherwise it's basically the same thing.

I'd recommend using an encrypted partition on the backup drive(s) using software encryption if the server isn't at its limit ... I have no clue about possible hardware encryption for tapes.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.