Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl (2022 Views)
Reply
Visitor
Renaud_C
Posts: 4
Registered: ‎11-02-2011
Message 1 of 14 (2,352 Views)

DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possible ?

We would like to implement a drive based encryption on a DP6.11 system.

I already created a simple backup job and activated the drive base encryption option. 

Now I have to create and activate a key on cell manager.

 

I have a very simple question : 'Is it possible to create and use a unique key (only one)' ?

 

In other words, we would like to encrypt our archives media with a the same and unique key.

 

Regards.

Please use plain text.
Honored Contributor
Shishir Misra
Posts: 432
Registered: ‎12-19-2004
Message 2 of 14 (2,338 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

Hi.
There was a global option to enable this once but I'm not sure if it exists now. Your best bet would be to ask HP Support about this feature.
Regards,
Shishir
Please use plain text.
Visitor
Renaud_C
Posts: 4
Registered: ‎11-02-2011
Message 3 of 14 (2,325 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

I setup a simple backup job and activated Drive Based Encryption.

Backupjob was successful and cell manager generated a key. Key Description = 'AES256_CTR Automatic key creation'

 

Does anybody knows if this key is available only for this tape ? (what will happen when system will use another tape ?)

 

 

Please use plain text.
Honored Contributor
Shishir Misra
Posts: 432
Registered: ‎12-19-2004
Message 4 of 14 (2,295 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

Hi.

   For a new tape, a new key should get created automatically.

Regards,

Shishir

Please use plain text.
Visitor
Renaud_C
Posts: 4
Registered: ‎11-02-2011
Message 5 of 14 (2,293 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

Hello,

 

Here is what I was looking for (received from our HP Partener).

I already implemented it but I still have to validate the solution.

*************************************************************************************

In the global file you need change this and restart DP

# EnableCommonKeyEntity

# format:

EnableCommonKeyEntity=1 -> the same key for every media

# default: 0

# If this option is set (=1), KeyEntity value will be used as an entity name.

# for encryption.

# KeyEntity

# format:

KeyEntity= YOURENTITY -> e.g. : if you want a common key for you company.

# default: <empty>

# This value will be used as an entity-name if EnableCommonKeyEntity is set to 1.

Please use plain text.
Occasional Visitor
Matthew Shields
Posts: 1
Registered: ‎08-19-2005
Message 6 of 14 (2,170 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

Spoiler
 

this setting is placed on cell manager correct and what OS is yours.

Is this for one drive or many, 

Please use plain text.
Honored Contributor
Sebastian.Koehler
Posts: 1,155
Registered: ‎02-27-2007
Message 7 of 14 (2,167 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

Since the option EnableCommonKeyEntity is defined in the global configuration file on the CS, this setting is global for the whole cell including all media agents and drives.

 

Regards,

Sebastian

---
Assign a kudo to this post, if you find it useful.
Please use plain text.
Visitor
Renaud_C
Posts: 4
Registered: ‎11-02-2011
Message 8 of 14 (2,161 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

Yes, setting is on cell manager so for all drives/tapes.

OS : W2K3R2SP2 STD

For your information: Solution is requiring last DP patches available for 6.11 so we decided to upgrade completely our DP system (will be on W2K8R2 / DP 6.20)...wait and see

Please use plain text.
Occasional Visitor
DUva
Posts: 3
Registered: ‎04-27-2012
Message 9 of 14 (2,035 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

I have the same problem.

I have HP Dataprotector 06.11 but my global file doesn´t include a EnableCommonKeyEntity variable to configure.

I understand I need a patch to display that option globally, its that correct?

I need to ensure that, if down the patch and installing it then appears that option, then I will have to consider hiring the stand.

Please use plain text.
Honored Contributor
Sebastian.Koehler
Posts: 1,155
Registered: ‎02-27-2007
Message 10 of 14 (2,032 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

It is possible, that the options EnableCommonKeyEntity and KeyEntity are available on your patch level but not included in the global file.To find out, run omnicc in debug mode and review the debug file that will contain all available global options for your cell server.

 

/opt/omni/bin/omnicc -debug 20 /tmp/DBG.txt

/bin/grep -i "KeyEntity" /tmp/OB2DBG_*DBG.txt

 

if they are not in, you need to upgrade your cell to latest patches. if they are in, just add the required lines to global and restart services.

 

Regards,

Sebastian

---
Assign a kudo to this post, if you find it useful.
Please use plain text.
Occasional Visitor
DUva
Posts: 3
Registered: ‎04-27-2012
Message 11 of 14 (2,030 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

Thanks Sebastian.
the process worked correctly.
I confirmed that I have that option not available.
you can assure you that there is a patch for version 6.11 which makes this option becomes available.
Please use plain text.
Honored Contributor
Sebastian.Koehler
Posts: 1,155
Registered: ‎02-27-2007
Message 12 of 14 (2,027 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

The latest and greatest patches should add this functionality. HP puts a lot of efforts in back porting all kinds of stuff in older Data Protector releases. If you want to test, setup a new cell server, apply the latest patches and run the commands again if the global does not include this option. I've no 6.11 cell around for quite some time.

Regards,
Sebastian
---
Assign a kudo to this post, if you find it useful.
Please use plain text.
Occasional Visitor
DUva
Posts: 3
Registered: ‎04-27-2012
Message 13 of 14 (2,024 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

The problem is that I haven´t a support contract.
This does not allow me to download patches.
So I wanted to make sure. What I do not want to happen is to hire the support and that this option is not available in the version I have.
Please use plain text.
Honored Contributor
Sebastian.Koehler
Posts: 1,155
Registered: ‎02-27-2007
Message 14 of 14 (2,022 Views)

Re: DataProtector 6.11 - Drive Based Encryption - need 1 key for all encrypted media - is it possibl

If you bring your cell back to support, you will not only obtain patches for 6.11. You will be also be able to upgrade to later versions like 6.2x or 7.00. Current versions include that option in any case.

Regards,
Sebastian
---
Assign a kudo to this post, if you find it useful.
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation