Best Practices / Tutorial for moving from software encryption to drive based encryption (340 Views)
Reply
Occasional Contributor
RTFMGuy
Posts: 8
Registered: ‎02-11-2014
Message 1 of 5 (340 Views)

Best Practices / Tutorial for moving from software encryption to drive based encryption

[ Edited ]

Hello,

 

We are on DP A 0.7.00 Build 105 and have been using com encryption + software encryption without compression on an LTO4 drive using LTO3 media. We recently added an LTO6 library to our infrastructure and would like to move to drive based encryption.

 

1) What things do we need to lookout for in moving to drive based encryption

2) Will we need to generate new keys or an additional key or can we use the ones in place for each backup object?

3) Is there a whitepaper / tutorial for what settings are needed to make this change?

4) After moving to drive based enc, will we have anything to look out for in restoring our old data?

5) Can you use LTO3 media for drive based encryption as long as you are using LTO4+ drives?

6) Can we do encryption and compression simultaneously with drive based encryption and actually get some gains in storage on LTO6 media?

7) Circling back around to #2 -- I've seen many posts saying drive based encryption makes a new key for each tape (at some point in the past). Has this been fixed now to be more sane?

 

Thanks in advance.

HP Expert
Bob_Clark
Posts: 1,426
Registered: ‎08-14-2013
Message 2 of 5 (297 Views)

Re: Best Practices / Tutorial for moving from software encryption to drive based encryption

1) What things do we need to lookout for in moving to drive based encryption

Keystore file corruption.  However the Keystore is now included in the IDB backup, so that, if you backup the IDB every day, you should be OK

For optimal performance, the block size used should be at least 256 kilobytes

 

2) Will we need to generate new keys or an additional key or can we use the ones in place for each backup object?

7) Circling back around to #2 -- I've seen many posts saying drive based encryption makes a new key for each tape (at some point in the past). Has this been fixed now to be more sane?

You should be able to use the same keys as the ones in place for each backup object

My impression is that you can create a new encryption key for each media, but this is optional.  I have looked at a lot of keystore files, and, with hundreds of media still under prote4ction, I saw nowhere near the corresponding number of Encryption keys

 

3) Is there a whitepaper / tutorial for what settings are needed to make this change?

None that I can find, but, in the GUI, click on Help -> Topics, and search for "drive based encryption", it will give you some additional information.  Also, if you click on Help -> GUides, find the CLI (Command Line Interpreted) Guide, in section 1M, get the usage for 'omnikeytool'

 

4) After moving to drive based enc, will we have anything to look out for in restoring our old data?

I think that this is covered in the on-line helpl, mentioned in the last response

 

5) Can you use LTO3 media for drive based encryption as long as you are using LTO4+ drives?

This is probably not a question that we can address from a Data Protector perspective... rather, it should be taken up with your hardware vendor

 

6) Can we do encryption and compression simultaneously with drive based encryption and actually get some gains in storage on LTO6 media?

First, NEVER use Software compression

Again, this is not something that we can answer from the Data Protector side of the house

Occasional Contributor
RTFMGuy
Posts: 8
Registered: ‎02-11-2014
Message 3 of 5 (293 Views)

Re: Best Practices / Tutorial for moving from software encryption to drive based encryption

Thanks very much for the reply, got most of my questions answered and will continue to test :)

 

If anyone has any ideas about the other unknowns let me know thanks!

Occasional Contributor
RTFMGuy
Posts: 8
Registered: ‎02-11-2014
Message 4 of 5 (285 Views)

Re: Best Practices / Tutorial for moving from software encryption to drive based encryption

Also -- I noticed you said never to use software compression. Is there any reason not to use Hardware compression paired with Drive Based Encryption?

HP Expert
Bob_Clark
Posts: 1,426
Registered: ‎08-14-2013
Message 5 of 5 (272 Views)

Re: Best Practices / Tutorial for moving from software encryption to drive based encryption

None that I am aware of, but, aggain, I have to defer to the hardware vendor on questions like this

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.