Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How does Backup Exec 2012 and MSL4048 LTO-4 work together as far as encryption

Posted on 2013-01-28
Medium Priority
Last Modified: 2013-01-31

I'm trying to figure out how does Backup Exec 2012 and a HP MSL4048 with LTO-4 backup tapes work together (if they are supposed to) as far as encryption.

1. I have a HP MSL4048 Tape Library that uses LTO-4 backup tapes.
2. I have implemented the MSL LTO-4 Encryption Kit on the Tape Library with a primary key server token and a backup key server token.
3. I did some test backups and restore backups in Backup Exec 2012 to see if encryption from the Tape Library mentioned above would prompt me for a password. The job was successful in each case but I was not prompted for any encryption password.
4. Does Backup Exec 2012 and HP MSL4048 Tape Library supposed to work together as far as encryption?
5. I do not have encryption setup in Backup Exec 2012. Do I need to setup encryption on Backup Exec as well?
6. In this scenario is it just that encryption is supposed to be setup on both ends (Backup Exec and the MSL4048 Tape Library to protect both ends?

Just trying to piece this all together. Thanks in advance.
Question by:jslaught
  • 2
  • 2
LVL 37

Expert Comment

ID: 38830788
LVL 21

Accepted Solution

SelfGovern earned 500 total points
ID: 38832628
Hi, jslaught.  I used to work at HP with these libraries, and wrote an encryption lab that was used at Storage Networking World and other places.

The MSL Encryption Kit creates encrypted tapes transparent to the backup application.  So it sounds like you have things configured correctly.  Just to confirm -- when you got the encryption kit, you inserted a token into the back of the library, then went in to the library management GUI to create a password for the Security user.  You then went to the security tab in the GUI and enabled encryption on some partition(s) or whole library.  If so, you're all set.

You can test that the tapes are encrypted by any of these steps:
1) Take the tape to a drive outside the library and try to catalog and read it with BE.  
2) Put the tape into a slot in a non-encrypting partition of the library and try to read it with BE.
3) During a lull time, turn encryption off, remove the key server token, then try to read an encrypted tape with BE.

In all cases above, BE will be able to see the tape as an LTO-4 tape, but it will not be able to read the data on the tape itself.

Now, a couple of pointers and insights into encryption:
1) You can't tell BE to use HW encryption on drives in a partition set to "encrypt" with the encryption kit.  There can be only one hardware encryption manager -- the application or some kind of encryption HW, not both.
2) You could tell BE to encrypt in software and have the encryption kit encrypt as well, but this would be a waste of CPU power on your backup server, and will double or more the complexity of decrypting a tape.
3) You got two tokens with your Encryption Kit.  Make sure that a) you back up your encryption keys to the other token whenever an new key is created, and, b) you store the second token at a safe off-site location.  If you lose your keys, there's no back door to get them back!
4) If you have a DR or partner site somewhere with another MSL library, you can have that site store the second Key Server Token.  From your main library, you can export the keys to an encrypted file when you generate a new key, and then send that encrypted file (email?) to the second site, call them to give them the password, and they can then upload the new keys into their token.
5) I like the security on the MSL Encryption Kit, in that if someone ever tries to run a non-encrypted job by pulling the key server token out of the library, backup jobs will fail until the key is re-inserted *and its password re-entered*.
6) If you're in an organization where security is important, you will have two groups of users: The first is the people with the MSL library password, but not the Encryption Kit password.  The second group should be different people, these will have the Encryption Kit password, but not the MSL library password.   This way it takes two people colluding to circumvent the encryption and generate a non-encrypted tape.
7) With the MSL4048, you can have up to as many partitions as you have tape drives.  Some users choose to create non-encrypting partitions for data that's not sensitive, and encrypting partitions where all data is encrypted.  There's no performance penalty for encryption, so this probably doesn't matter for most.  One scenario I could see where it would come into play is if you needed to exchange tapes with another site, but they did not have an MSL library, or you didn't wish to share your encryption infrastructure with them.
8) You can use the library GUI to have the token automatically create new keys periodically.   The key server token can store 100 keys.  So if you create a new key every week, you can store almost two years' worth of keys on one token.  A new key every month means you can keep 8 years' worth of keys on one token.  **JUST REMEMBER** to have as part of your processes a backup of the new key as soon as it is generated.  Lost keys cannot be "found", and any tapes written with those keys will be gone, worthless, unreadable (but can be overwritten by force with HP's Library and Tape Tools, so they can be re-used).  Few businesses need the security of creating a new key more than once a month (in my humble opinion), and if you're one of the ones that does, you probably know already.  There is a bit of added complexity in restoring tapes when the tapes use keys that are not on your current token, so a new-key-every-four-weeks is probably a great sweet spot.
LVL 37

Expert Comment

ID: 38833102
@SelfGovern thanks for such a well written post

Author Comment

ID: 38836035
Yes very good feedback from selfGovern thank you. I was able to do #3 successfully above from your reply post (turn encryption off, remove the key server token, then try to read an encrypted tape with BE).

I also tested trying to do a restore (have BE read an encrypted tape) (1) when the tape library encryption is turned off but the key server token is still plugged in . I was not able to do a successful restore which is what we want in this case. Another test I tried was doing a restore (have BE read an encrypted tape) (2) when the tape library encryption is turned on but the token is removed. This too did not allow me to do a restore within BE which is also what we want in this case.

When doing the tests mentioned above, I also noticed that when the restore job would fail, BE would automatically retire the tape. When the job failed, BE produced the following alert message (Library Insert - Please insert media into the robotic library by creating an Import media job) . The message was due to BE not being able to read the encrypted tape when encryption was turned off or not fully enabled. A cancel of this job is required as well.

I'm not sure why BE retires the tape but I was able to figure out that in order to see the data again from a retired state, all I had to do was move the tape back into it's original media set and then re-inventory the tape. Then it became available to be used within BE and perform restore jobs if need be.

So ... selfGovern's written post was onpoint and helped me verify encryption within the tape library and BE and explore some scenarios on my own. Much appreciated ... much appreciated!

Author Closing Comment

ID: 38839676
Excellent knowledge from the experts!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
Dropbox has a relatively new feature called Smart Sync.  This feature allows Dropbox Professional (not plus) and Dropbox Business (if enabled) users to store information in Dropbox WITHOUT storing any files on their computer.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question