?
Solved

Backup Encryption

Posted on 2011-10-04
2
Medium Priority
?
1,491 Views
Last Modified: 2012-05-12
Hi,

We are using Symantec Backup Exec 2010 R3 and HP 1/8 G2 Autoloader for backup. We are doing Disk to Disk to Tape backup. I need to encrypt the backup taken to disk & as well as to tape. Which type of Encrytion should I use either Hardware or Software encryption? Which one is better & why?

Please advice.
0
Comment
Question by:sskay2000
2 Comments
 
LVL 5

Expert Comment

by:hax1
ID: 36909746
Hardware encryption requires you to buy hardware, which has a cost - if you use software encryption, your CPU has to do the encrypting and decrypting, otherwise it's basically the same thing.

I'd recommend using an encrypted partition on the backup drive(s) using software encryption if the server isn't at its limit ... I have no clue about possible hardware encryption for tapes.
0
 
LVL 21

Accepted Solution

by:
SelfGovern earned 2000 total points
ID: 36916316
Most any backup application can perform software encryption -- that is, as part of the backup process, and before the backup job is written, the data is encrypted using a module in the backup application software.
Plusess: It works for any backup target (LTO-1, DAT, SDLT, disk, ...)
MInuses: Encryption is CPU intensive, and it may slow down your backup job
                  Since the data is encrypted when it gets to the tape drive, you will get no compression
                  Passphrase-generated keys won't be as secure as random keys
                  You *must* have processes to backup your encryption keys, else loss of the
                  backup server means you've lost all your backup data.
                 May require purchase of encryption module from backup app vendor

LTO-4 and LTO-5 drives from HP all support hardware encryption.  You provide the key, the drive does all the work with no loss of performance or compression. The key can be provided one of two ways:
1) Through the backup application (usually passphrase-generated)
Pluses: No additional load on backup server; tape drive HW does all the work
               No loss of compression since data is compressed, then encrypted, then written
               As long as you have the key or passphrase, you can restore that tape with that
               backup application from any tape drive that supports that tape cartridge
Minuses: Passphrase-generated keys won't be as secure as random keys
                  You *must* have processes to backup your encryption keys, else loss of the
                  backup server means you've lost all your backup data.
                 May require purchase of encryption module from backup app vendor
2) Through some sort of separate HW key manager or key generator such as the HP Encryption Kit for MSL libraries and 1/8 autoloader
Pluses: No additional load on backup server; tape drive HW does all the work
               No loss of compression since data is compressed, then encrypted, then written
               Generates random, and thus the most secure, keys
               Support for automatically generating new keys
               Harder to 'cheat' and turn encryption off
               Backup application blissfully unaware of encryption, no additional license needed
Minuses: You have to purchase the device ($2500(?) for the Encryption Kit, other solutions
                  likely more expensive
                  Still important to backup the keys!
                  Must be restored from hardware that supports the key gen device
-------------
I think that is a fairly complete list of pros and cons of each.
Note that you can encrypt your tape backups WITHOUT buying any new HW other than your LTO-4 or LTO-5 tape drive.
Hax1 is correct that a combination of one of the methods I've outlined for HW tape encryption and having the OS encrypt the disk partition would be best, particularly if your data is significantly compressible.
.
MSL Encryption Kit info in the QuickSpecs at
http://h18000.www1.hp.com/products/quickspecs/13258_div/13258_div.html#data_encryption
(Same kit works for MSL and 1/8 G2 autoloader)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question