08-24-2007 12:19 AM
08-24-2007 06:56 AM
There's a business manager inside OpenVMS that has traditionally handled Common Criteria and other issues of security standards and standards compliance.
Here's the AES (256-bit) reference for OpenVMS V8.3 encryption:
and AFAIK 256-bit AES is in the right range for FIPS 140 compliance. As for statements of compliance and verification and evaluation that aren't already included in the SPD or such, those best arrive from folks within HP and probably not from ITRC. (And I don't see FIPS 140 in the SPD.)
Alternatively, you might want to ask your own folks if products providing AES 256-bit are "good enough".
08-24-2007 12:57 PM
One drawback is that this is a new very high performance drive, and you may have a hard time sending data to it fast enough to keep it from shoeshining. And without software to turn the encryption feature on, it will just be a latent capability.
There are many advantages to having the tape drive do the encryption. Besides offloading the necessary processing, it also does the compression prior to encryption, so the amount of media used for backups will not increase drastically. Remember that encrypted data appears random, and therefore does not effectively compress.
Have a look at
According to the compatibility chart, the drive is supported by both 8.2 and 8.3, but not by 7.3-2. That does not mean that you will be able to take advantage of the encryption capabilities, as the feature must be turned on, keys loaded, etc. That will require that the software being used to write to tape have the knowledge needed to communicate with an IEEE 1619.1 encrypting tape drive. I know nothing about what is planned for VMS BACKUP or Data Protector.
I was a bit surprised that the drive doesn't have any USB port on the front panel that would allow a "key" to be inserted into the drive. Whether such a device exists, I don't know. I do know that we have a MICR check printer that has a hardware key (I am not sure if it is USB or some proprietary hardware), but it is part of the "something you know and something you have" two part security.
There seems to be quite a bit of discussion about whether or not the encryption built into the LTO4 drive is "FIPS 170-2" compliant or not. Google for ( "IEEE 1619.1" "FIPS 140-2" ) http://www.google.com/search?hl=en&lr=&as_qdr=all&
HP's description in their marketing brochure has the vague verbiage "has the potential to be part of wider data encryption solutions up to FIPS 140-2 level 2." But so does a notepad to keep documentation on.
Excerpt from http://www.hpstoragemedia.com/files/english/sales_
"HP's LTO4 Ultrium cartridges have the potential to be part of wider data encryption solutions up to FIPS 140-2 level 2. The media on its own incorporates AES-256 bit key encryption (the highest level of AES) capabilities to provide greater security. HP's implementation meets the current draft of IEEE 1619.1 tape encryption standard giving you peace of mind that if a tape goes missing, the data it contains cannot fall into the wrong hands."
08-24-2007 01:08 PM
Perhaps something like mount/media=(compaction,IEEE1619_1=keyoption...)
Then you might be able to use something like Save Set Manager to migrate savesets from old tapes to new, and have them encrypted on the way.
Sorry for the diversion...
12-05-2007 09:47 AM
My response was that "of course" has very limited meaning for the government. "Of course" works for "oh, you need to file seven more paper copies and twenty-one e-mail copies of this form." To which you say, "Of course I do..."
The bottom line from my security guys was, if it isn't directly certified, it isn't FIPS 140-2 compliant. The Federal Information Security Management Act (FISMA) of 2002 revoked statutory provisions to allow waivers of FIPS standards. The surrounding guidelines include something to the effect of saying "Unvalidated cryptography is viewed by NIST as providing no protection to the information or data" and basically counts as cleartext for the security evaluation process.
My own security folks say that despite it not being directly certified, it is possible to (as they say it) "socialize" the routines because despite FISMA 2002, there are ways to get waivers. Just more hoops to jump through. So I guess you need to discuss the issue with your security guys and see what, if anything, they have to say.
In case you were wondering, I'm at a DoD/USN site dealing with Privacy Act data for personnel-related information. So we have that FIPS-140-2 requirement, too.
12-06-2007 10:55 AM
and this process is perfectly designed to keep the revenue stream coming to the 'insiders' like billy bathgates and his gang of merry thieves. bathgatesOS is probably 'certified' this and that, and we all know how secure that is.
06-07-2011 03:21 PM
Would HP ever put themselves out there and go on record to un-categorically state that their tools are FIPS 140-2 compliant (esp. something that is not NonStop computing?
How does one say that the System Management Homepage is FIPS 140-2 compliant? Does it involve the installation of a certificate meeting a specific compliance?
06-07-2011 03:38 PM
Why awaken a years-old thread in a VMS forum
to deal with an HP-UX question?
I know nothing, but from my limited attention
to OpenSSL stuff, I've gathered that actual
FIPS compliance (certification?) is a
non-trivial thing. It seems to require
platform-specific testing for each OpenSSL
version, which costs actual money, so some
particular vendor or victim needs to pay for
> [...] you'll want to ask for a statement
> from HP [...]
I'd say that that's true in your case, too.
06-08-2011 08:34 AM
As for awakening the thread, well, due to HSPD-12, APT, and a few other initiatives, this issue continues to be all too relevant. Meeting the compliance while continuing to provide effective, efficient, and practical services to our customers as well as keep the system administration practical is becoming a very difficult balancing act.
But your answer was perfect. Thank you. I now understand the reason why HP may not get "certifications" on every platform for every layered product and then try and maintain it going forward.
I'll also try and check within my organization to determine if any of them already have acquired a "restatement" from HP.
Again, forgive me. I'll refrain from extending this thread.
06-08-2011 09:19 AM
leads pretty directly to:
which explains some of the considerations
involved with OpenSSL.
06-09-2011 01:44 AM
"Data Encryption Using Archive Backup System"
It refers to the HP StorageWorks Secure Key Manager:
This includes the reference:
"The SKM is a hardened server appliance delivering secure identity-based access â administration and logging with strong auditable security designed to meet the rigorous FIPS 140-2 security standards."