How does Backup Exec 2012 and MSL4048 LTO-4 work together as far as encryption


I'm trying to figure out how does Backup Exec 2012 and a HP MSL4048 with LTO-4 backup tapes work together (if they are supposed to) as far as encryption.

1. I have a HP MSL4048 Tape Library that uses LTO-4 backup tapes.
2. I have implemented the MSL LTO-4 Encryption Kit on the Tape Library with a primary key server token and a backup key server token.
3. I did some test backups and restore backups in Backup Exec 2012 to see if encryption from the Tape Library mentioned above would prompt me for a password. The job was successful in each case but I was not prompted for any encryption password.
4. Does Backup Exec 2012 and HP MSL4048 Tape Library supposed to work together as far as encryption?
5. I do not have encryption setup in Backup Exec 2012. Do I need to setup encryption on Backup Exec as well?
6. In this scenario is it just that encryption is supposed to be setup on both ends (Backup Exec and the MSL4048 Tape Library to protect both ends?

Just trying to piece this all together. Thanks in advance.
Who is Participating?
SelfGovernConnect With a Mentor Commented:
Hi, jslaught.  I used to work at HP with these libraries, and wrote an encryption lab that was used at Storage Networking World and other places.

The MSL Encryption Kit creates encrypted tapes transparent to the backup application.  So it sounds like you have things configured correctly.  Just to confirm -- when you got the encryption kit, you inserted a token into the back of the library, then went in to the library management GUI to create a password for the Security user.  You then went to the security tab in the GUI and enabled encryption on some partition(s) or whole library.  If so, you're all set.

You can test that the tapes are encrypted by any of these steps:
1) Take the tape to a drive outside the library and try to catalog and read it with BE.  
2) Put the tape into a slot in a non-encrypting partition of the library and try to read it with BE.
3) During a lull time, turn encryption off, remove the key server token, then try to read an encrypted tape with BE.

In all cases above, BE will be able to see the tape as an LTO-4 tape, but it will not be able to read the data on the tape itself.

Now, a couple of pointers and insights into encryption:
1) You can't tell BE to use HW encryption on drives in a partition set to "encrypt" with the encryption kit.  There can be only one hardware encryption manager -- the application or some kind of encryption HW, not both.
2) You could tell BE to encrypt in software and have the encryption kit encrypt as well, but this would be a waste of CPU power on your backup server, and will double or more the complexity of decrypting a tape.
3) You got two tokens with your Encryption Kit.  Make sure that a) you back up your encryption keys to the other token whenever an new key is created, and, b) you store the second token at a safe off-site location.  If you lose your keys, there's no back door to get them back!
4) If you have a DR or partner site somewhere with another MSL library, you can have that site store the second Key Server Token.  From your main library, you can export the keys to an encrypted file when you generate a new key, and then send that encrypted file (email?) to the second site, call them to give them the password, and they can then upload the new keys into their token.
5) I like the security on the MSL Encryption Kit, in that if someone ever tries to run a non-encrypted job by pulling the key server token out of the library, backup jobs will fail until the key is re-inserted *and its password re-entered*.
6) If you're in an organization where security is important, you will have two groups of users: The first is the people with the MSL library password, but not the Encryption Kit password.  The second group should be different people, these will have the Encryption Kit password, but not the MSL library password.   This way it takes two people colluding to circumvent the encryption and generate a non-encrypted tape.
7) With the MSL4048, you can have up to as many partitions as you have tape drives.  Some users choose to create non-encrypting partitions for data that's not sensitive, and encrypting partitions where all data is encrypted.  There's no performance penalty for encryption, so this probably doesn't matter for most.  One scenario I could see where it would come into play is if you needed to exchange tapes with another site, but they did not have an MSL library, or you didn't wish to share your encryption infrastructure with them.
8) You can use the library GUI to have the token automatically create new keys periodically.   The key server token can store 100 keys.  So if you create a new key every week, you can store almost two years' worth of keys on one token.  A new key every month means you can keep 8 years' worth of keys on one token.  **JUST REMEMBER** to have as part of your processes a backup of the new key as soon as it is generated.  Lost keys cannot be "found", and any tapes written with those keys will be gone, worthless, unreadable (but can be overwritten by force with HP's Library and Tape Tools, so they can be re-used).  Few businesses need the security of creating a new key more than once a month (in my humble opinion), and if you're one of the ones that does, you probably know already.  There is a bit of added complexity in restoring tapes when the tapes use keys that are not on your current token, so a new-key-every-four-weeks is probably a great sweet spot.
@SelfGovern thanks for such a well written post
jslaughtAuthor Commented:
Yes very good feedback from selfGovern thank you. I was able to do #3 successfully above from your reply post (turn encryption off, remove the key server token, then try to read an encrypted tape with BE).

I also tested trying to do a restore (have BE read an encrypted tape) (1) when the tape library encryption is turned off but the key server token is still plugged in . I was not able to do a successful restore which is what we want in this case. Another test I tried was doing a restore (have BE read an encrypted tape) (2) when the tape library encryption is turned on but the token is removed. This too did not allow me to do a restore within BE which is also what we want in this case.

When doing the tests mentioned above, I also noticed that when the restore job would fail, BE would automatically retire the tape. When the job failed, BE produced the following alert message (Library Insert - Please insert media into the robotic library by creating an Import media job) . The message was due to BE not being able to read the encrypted tape when encryption was turned off or not fully enabled. A cancel of this job is required as well.

I'm not sure why BE retires the tape but I was able to figure out that in order to see the data again from a retired state, all I had to do was move the tape back into it's original media set and then re-inventory the tape. Then it became available to be used within BE and perform restore jobs if need be.

So ... selfGovern's written post was onpoint and helped me verify encryption within the tape library and BE and explore some scenarios on my own. Much appreciated ... much appreciated!
jslaughtAuthor Commented:
Excellent knowledge from the experts!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.