Practical use of the HP Ultrium LTO4 Tape Drive with encryption
To use the encryption feature of the Ultrium LTO-4 Tape Drive, you have to instruct the tape drive to encrypt or decrypt data and issue the appropriate key.
When power is removed, encryption is not enabled by default and the keys are not stored in the drive.
The new SCSI commands SPOUT (Security Protocol Out) and SPIN (Security Protocol In) are used to set encryption and supply the key associated data, which is used to reference the correct key when restoring data.
There are several ways you can implement encryption for tape drives. The following lists the different methods for completeness, however not all these methods are referenced solutions
Software-based encryption
Software-based encryption encrypts the data before it leaves the server and keys
are stored in the internal database or catalog of the application. This method of
encryption places a high load on the server as the software performs many
mathematical operations using host processing power. Several applications
including HP Open View Storage Data Protector 6.0 offer encryption as a feature.
Although the security of date encrypted this way is very high (as the data is
encrypted in transit), because encrypted data is highly random it then becomes
impossible to achieve any data compression downstream in the tape drive and
therefore storage is inefficient.
Keys managed by the ISV application, also known as in-band key management
The ISV software supplies the keys and manages them, and the Ultrium LTO4
Tape Drive then performs the encryption. Keys would be referenced by the key-
associated data and stored in the applications internal database. (Please refer to
your individual ISV backup application vendor for support of this functionality).
Native mode encryption
This method controls the LTO4 encryption from within the tape drive library.
There is one key that is set by way of the library management interface (Web
GUO or Operator Control Panel).This method encrypts all tapes with the same
key, with the downside of negatively impacting the security level.
An in-band encryption appliance
In-band encryption intercepts the Fibre Channel links and encrypts the data in-
flight. These products are available from several vendors such as Neoscale and
Decru. Key management is from a hardened key management appliance. This
method is independent of ISV software and supports legacy tape drives and
libraries. Data compression must be performed by these devices as compression
within the tape drive is not possible after encryption .
Key management is a vital component of any cryptographic system. Keys must be generated, stored, and issued as required, but destroyed when no longer required. Keys for the Ultrium LTO4 Tape Drive encryption function are 256 bits long with new keys typically issued for each tape. The SCSI initiator sets or unsets the keys and to accommodate multiple SCSI initiators, which are common in an enterprise-level application, the LTO4 tape drive can hold up to 32 different keys. Good practice encryption techniques require the generation of unpredictable random keys and realistically this is not a manual task. Some applications use a passphrase system to generate keys, but this can lead to weakening the cryptography. Passphrase is generated by hashing the phrase with a secret number. However, hashes can be broken if guesses are made for standard English words or names. Modern computer hardware, for example, can break passwords which are produced by a hash algorithm in approximately 15 seconds if standard words are contained in the original password. However, passphrase generation can still be an effective solution in the SMB market where security of tape is important but a full key management system is expensive and too complicated. It is also necessary to have a key destruction system for when a tape is no longer in use or recycled by the backup application. In an enterprise wide key management unit there may be several thousands of keys in use at any one time.
It is also necessary to have a key destruction system for when a tape is no longer in use or recycled by the backup application. In an enterprise wide key management unit there may be several thousands of keys in use at any one time.Cryptography is an extensive subject; this white paper has been written to introduce the basic cryptography ideas and functions providing a greater insight into a practical data protection solution based on the Ultrium LTO4 Tape Drive.
An understanding of cryptography helps to provide a level of confidence in the security of the encryption used together with the importance of good key management as losing the key equates to losing data with tapes no longer accessible.
Standards are important in data protection and enable customers to meet increasing demands for legal compliance by demonstrating that sensitive data is adequately protected. Having industry-standard AES encryption as part of the LTO4 format adds further to the benefits of tape-based backup and archival, tape is now the most economical and one of the most secure forms of archival storage for valuable data. The Ultrium LTO4 Tape Drive delivers both the performance and security features necessary to support the most robust data protection strategy.
For further details and online order, please visit www.tape4backup.com
About the Author: ShawnPaul
Tape4backup.com,
34972 Newark Blvd, # 501, Newark CA 94560
Tel: 888-491-4949
Fax: 888-449-5050
Visits Us At: http://www. tape4backup.com
Email Us: links@tape4backup.com
Copyright © 2005 Tape 4 Backup All rights reserved.
http://www.tape4backup.com/privacypolicy.php
More articles by tape4backup
Print Article | Download PDF | 33 views | May 28 2008
|
|
