Drive based Encryption-not working DP 6.1.1 (1447 Views)
Reply
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 1 of 15 (1,447 Views)
Accepted Solution

Drive based Encryption-not working DP 6.1.1

I was using drive based encryption on a Win2k3 R2 server running DP 6. So I have my omnikeystore file located at the root of the omniback directory and the omnirc file was edited to allow for the drive based encryption and no license was required. I have been running drive based encryption on DP 6 successfully.

Now I just upgraded to DP 6.1.1 (no patches yet) on this server. I still have not purchased any encryption extension licenses, because I'm under the assumption that "Drive-based encryption" is still free? But now since the upgrade to DP 6.1.1 I'm no longer able to restore any previous backups, or even backup to a tape that has encrypted backups on it. I get the following errors from KMS
[Critical] From: RSM@strs.win2k.cfbb.org "" Time: 1/25/2010 1:57:19 PM
[60:1061] KMS reports storeid:keyid 00000000000000000000000000000000:001E0B76573849CA794E0987473C197A not found. Aborting session.

[Critical] From: RMA@strs.win2k.cfbb.org "HP:Ultrium 4-SCSI_1_strs" Time: 1/25/2010 1:57:19 PM
[90:6111] Error retrieving encryption key. Aborting session.

[Major] From: RMA@strs.win2k.cfbb.org "HP:Ultrium 4-SCSI_1_strs" Time: 1/25/2010 1:57:19 PM
[90:53] Tape0:0:0:0C
Cannot seek to requested position (Details unknown.)

I see in DP 6.1.1 there is now a new option to enable "Drive-based Encryption" under device drive settings, but it is greyed out.

What do I need to do to be able to use "Drive-based encryption" again, so that I can restore encrypted backups and backup to tapes that already have encrypted backups on them?

Thanks,
Chad
Please use plain text.
Honored Contributor
Rita C Workman
Posts: 3,791
Registered: ‎08-03-2000
Message 2 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Not sure how much this will help, but came across this in the Installing License Guide pdf, under section of Upgrading to DP 6.1.
======================================
...After the upgrade of the Cell Manager, Installation Server, and all clients to the Data
Protector A.06.10, the omnikeymigrate command automatically migrates all
existing key store files from all client systems in the cell and imports them into the
central key store file on the Data Protector A.06.10 Cell Manager. If an active
encryption key is migrated from the specified client system, all backup specifications
that are associated with this particular client system are automatically migrated with
the key. After the import, all migrated encryption keys are inactive.
If automigration is not functioning for any reason, you can manually migrate the
encryption keys. For details, refer to the omnikeymigrate man page or the HP
Data Protector command line interface reference.
258 Upgrading to Data Protector A.06.10
==================================

What caught my eye was the "all keys become inactive".

So, have you tried running the omnikeytool -activate (..etc...) command yet?

Just a thought,
Rita
Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 3 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

I looked at omnikeytool -list. I don't see any keys,so there is nothing to activate. Now I've been using drive-based encryption so the encryption is tied to the medium, correct? Since I'm dealing with the same server I would assume I could restore the data off those tapes.

I installed the patches for DP 6.1.1.
The drive-base encryption under device drive settings is still greyed out.
I did find under the backup specifications > backup job > destination properties a checkbox for drive-based encryption, which is not greyed out.

I'm just confused why I can't restore data from these tapes, or backup to tapes that have encrypted data on them.

Please use plain text.
Honored Contributor
Rita C Workman
Posts: 3,791
Registered: ‎08-03-2000
Message 4 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Chad,

I run on HPUX, but I run DP 6.1 too.

You said before you have your saved keyfile (omnikeystore file), can you try this maybe:

omnikeytool -import

Then run the activate command. Don't know about Windows, but on HPUX it shows you also need the following info in the command:

EntityName -keyid KeyID StoreID

Sorry if this doesn't help you, I'm still fairly new to this whole encryption thing myself.
You may need to call HP Support if this doesn't work.

Kindest regards,
Rita

Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 5 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Thanks Rita... That's a good idea. I'm looking at the DP 6.1.1 CLI reference and I'll give the omnikeytool -import and -activate a try. All I have is this one omnikeystore file, so hopefully this is the file it needs?

Thanks,
Chad
Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 6 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

In DP 6.0 I had to edit the omnirc file. Do you know if this file is still referenced in DP 6.1.1? I still have all the settings turned on as you can see and I'm wondering if this could be causing part of my problem too?

OB2_ENCRYPT_MA=1|1
# Default: 0
# This variable is used to turn on or off Media Agent/ Hardware Encryption.
#
OB2_ENCRYPT_DEVICE_STRICT=TRUE|TRUE
# Default: FALSE
# This variable if turned on (TRUE) then the device used for backup has to be a
# Encryption supported device.
#
OB2_ENCRYPT_MEDIUM_STRICT=TRUE|TRUE
# Default: FALSE
# This variable if turned on (TRUE) mandates the medium used for backup to be a
# a Encryption supported medium.

Thanks,
Chad
Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 7 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

I tried importing the omnikeystore file, but it failed to import. Looks like it is looking for some other csv key file

Regards,
Chad
Please use plain text.
Honored Contributor
Rita C Workman
Posts: 3,791
Registered: ‎08-03-2000
Message 8 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

I backup Windows servers, but I run it on HPUX cell manager.

From what I'm reading you may have turned on both software & hardware encryption in the past.
On Windows software can be turned on by going into the GUI for the backup and checking the Encode box on the FileSystem Advanced/Other tabs. OR you may have turned it on by editing the OB2ENCODE setting and putting it to OB2ENCODE=1.

What I'm thinking...and just is that if you had software & hardware encryption turned on in the past, you did some kind of double encryption. And if that is the way the tapes were done, it may require setting up the same thing under DP6.1 to be able to read/write to those tapes again.

I'm thinking your new DP6.1 environment needs to replicate the old 6.0 environment. So if you think you had both software & hardware turned on - try to set that up again and see if that allows you to import/activate a key that was made under that environment.

Otherwise, I'm running out of ideas and think it's time to call HP Support.

Kindest regards,
Rita
Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 9 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Thanks again Rita... I checked the old omnirc and the ob2_encode line was off and commented out.

I went ahead and opened a ticket with HP and they are currently working with me now. I'll definetly let you know what happens.

Regards,
Chad
Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 10 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Based off what Rita just said...

The "Drive-based encryption" option under the drive settings is still greyed out. So I wonder if that has something to do with this, and needs to be selected in order to do the restores and append to an already encrypted tape?


Regards,
Chad
Please use plain text.
Honored Contributor
Rita C Workman
Posts: 3,791
Registered: ‎08-03-2000
Message 11 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Chad,

What kind/model of tape unit do you have.

For example - here I have an MSL tape library, that I can web into with an account that has admin rights I can turn on drive based encryption. I never even touch Data Protector. It is strictly on the library itself.

So...what's your hardware?

Rita
Please use plain text.
Honored Contributor
Scott McIntosh_2
Posts: 6,874
Registered: ‎08-26-2003
Message 12 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

If I have a MSL2024 FC attached to my Windows 2003 server running Data Protector 6.0, I see the following from my omnidownload -list_devices -detail:

NAME "HP:Ultrium 4-SCSI_1_xxx"
DESCRIPTION "CLAIMED:HP LTO4 Drive"
HOST xxx
POLICY SCSI-II
TYPE LTO-Ultrium
POOL "Default LTO-Ultrium"
LIBRARY "HP:MSL G3 Series_xxx"
DRIVES
"Tape0:0:0:0C"
"1"
LOCKNAME "HP:Ultrium 4-SCSI:HU19396YMD"
SANSTABLEADDR
DEVSERIAL "HU19396YMD"

If I uninstall 6.0 and install 6.11 and patch it, I see the device configuration is expanded some with new 6.11 device settings:

NAME "HP:Ultrium 4-SCSI_1_xxx"
DESCRIPTION "CLAIMED:HP LTO4 Drive"
HOST xxx
POLICY SCSI-II
TYPE LTO-Ultrium
POOL "Default LTO-Ultrium"
LIBRARY "HP:MSL G3 Series_xxx"
DRIVES
"Tape0:0:0:0C"
"1"
LOCKNAME "HP:Ultrium 4-SCSI:HU19396YMD"
SANSTABLEADDR
DEVSERIAL "HU19396YMD"
RESTOREDEVICEPOOL NO
COPYDEVICEPOOL NO

I also notice the drive-based encryption checkbox is grayed out. I can still enable the encryption within the backup specifications, but cannot configure it as a device default.

If I delete and re-autoconfigure my MSL under 6.11, I now see the new setting of relevance:

NAME "HP:Ultrium 4-SCSI_1_xxx"
DESCRIPTION "CLAIMED:HP LTO4 Drive"
HOST xxx
POLICY SCSI-II
TYPE LTO-Ultrium
POOL "Default LTO-Ultrium"
LIBRARY "HP:MSL G3 Series_xxx"
ENCRCAPABLE <<<<-------||||||
DRIVES
"Tape0:0:0:0C"
"1"
LOCKNAME "HP:Ultrium 4-SCSI:HU19396YMD"
DEVSERIAL "HU19396YMD"
RESTOREDEVICEPOOL NO
COPYDEVICEPOOL NO

And now my drive-based encryption checkbox can be selected in my drive advanced settings. So the upgrade is not rechecking devices for this functionality. You will either have to omnidownload / manual add ENCRCAPABLE line / omniupload or delete and re-autoconfigure the drives to enable that checkbox.

As for the OP's restore/append issue, it seems that omnikeymigrate was failing to find the 6.0 omnikeystore to migrate the keys. I have seen that in my 6.11 upgrade, the keys were also not automigrated. But an omnikeymigrate -client worked in my case, without the need to fully specify the omnikeystore path with -file. It only worked for the OP when he used -file . Not sure why the difference.

Thanks,
Scott
Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 13 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Thanks....
I'm using the MSL 2024 tape drive Rita. I thought about enabling it right on the drive, but I thought you had to purchase licenses? And I wasn't sure about key management.

Problem #1
Like Scott said for migrating the key I ended up using the automigration
omnikeymigrate -client "c:\program files\omniback\omnikeystore"

The key migrated in!!!!

Then to be safe I backed up key by exporting it. I just created any .csv name.

omnikeytool -export key.csv -all

The key was exported and was sent to the export folder under
C:\Program Files\OmniBack\Config\Server\export

Problem #2
For the device-based encryption check box being greyed out. I deleted the device out of Data Protector then I used Autoconfigure devices. I wish I had taken print screens of my settings before doing this.

Because after it autoconfigured under the drive settings for Direct Backup , the World Wide Name and Logical Unit Number was wiped out. So I had to find it on our SAN fibre switch.

But now the drive-based encryption is now visible!



Please use plain text.
Frequent Advisor
Chad T.
Posts: 40
Registered: ‎07-30-2008
Message 14 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Drive-based encryption has been working well for me these past few days. I have been able to backup (encrypt) and restore (decrypt)with no problems. I'm closing this ticket and want to thank you all for your help.

Regards,
Chad
Please use plain text.
Occasional Advisor
Les Laviana
Posts: 9
Registered: ‎03-02-2011
Message 15 of 15 (1,447 Views)

Re: Drive based Encryption-not working DP 6.1.1

Hello... we are using Data Protector 6.0 to backup 4 hp unix servers. We have 2 MSL6000 series libraries each with 2 LTO scsi drives. One of the libraries has 2 LTO3 drives and the other has 2 LTO4 recently installed drives. Our goal is to perform drive based encryption backups on the LTO 4 drives. We've recently installed all of the required patches for 6.0 and drive based encryption as well as created the encryption key files and turned on the omnirc variable for drive based encryption. I've added the 2 new LTO4 drives in Data Protector GUI but we still can't get the encyypted bkups working. I found this thread and was wondering if anyone would be able to provide any help. I did try removing one of the drives from Data Protector then adding it back with the Autoconfig Option but I don't see any advanced setting to turn on encryption at the drive level. As was indicated at the end of this thread we are not doing direct backup nor are we using FC drives. Any help would be appreciated.
Thanks,
Les
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation