LTO Encryption

From SEPsesam
Jump to: navigation, search

Copyright © SEP AG 1999-2017. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.2/4.4.3. For previous documentation version(s), check Documentation archive.


Overview

LTO generation 4 and higher includes the ability for data to be encrypted by the tape drive hardware. SEP sesam provides native support for managing the LTO hardware based encryption by enabling the LTO encryption of tape drives on a media pool level.

During the LTO encryption process the data files are taken from the server and pass through the SCSI interface to the tape drive. The tape drive then encrypts and compresses the data before it writes it (or decrypts it if reading data) to or from the tape cartridge.

Supported drive types

Drive type
LTO generation
Supported since SEP sesam version
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 7 4.4.3
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 6 4.4.3
HP Ultrium 5-SCSI X64D
(SCSI, single tape drive)
LTO 5 4.4.2.53
Tandberg HH Z519
(SCSI, single tape drive)
LTO 5 4.4.2.53
HP Ultrium 4-SCSI B63W
(Fibre Channel, loader)
LTO 4 4.4.2.53
IBM Ultrium-HH4
(SCSI, loader)
LTO 4 4.4.2.53
IBM Ultrium-TD4 BBH4
(Fibre Channel, loader/single tape drive)
LTO 4 4.4.2.53

Setting up the LTO encryption

LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more drives to it which are all encryption capable (LTO generation 4 or higher). Afterwards, you need to create a dedicated media pool. The last step is to initialize the media, and only then the LTO tape is encryption ready.

Creating a new LTO (generation 4 or higher) drive group

Usually large auto loaders may have several internal drives, which are loaded from one magazine. All drives have to be organised into a group. Make sure to create a new drive group for the LTO drives generation 4 or higher. Note that the encryption will only be available, if there are no older LTO drives (e.g., generation 3) in a group, however a group can contain mixed LTO tapes of generation 4 and higher.

  1. In the Main Selection -> Components, click Drives. The Drives contents frame is displayed.
  2. Click Create New to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click OK.

Creating a drive for the new LTO (4 or higher) drive group

  1. Right-click the newly created LTO 4 (or higher) drive group and click New Drive to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.
  2. In the Drive Name field enter a meaningful name for the drive.
  3. From the Drive Type drop-down list, select LTO.
  4. From the Loader drop-down list, select the relevant loader from the list of configured loaders or leave it empty in case of a single device.
  5. From the Device Server drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.
  6. From the Drive Group drop-down list, select the newly created LTO drive group.
  7. Drive group.png

  8. In the Device (non-rewinding) field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewinded after backup.
  9. Hint:

    You can get the name of the device by running the command: <SESAM_ROOT>/bin/sesam/slu scan (e.g., Tape0 on Windows or /dev/nst0 on Unix).

    Sample output on Windows

    slu scan
    ID=6000 Tape:   HP      Ultrium 4-SCSI  B63W (Tape2147483646)
    ID=6001 Tape:   HP      Ultrium 4-SCSI  B63W (Tape2147483645)
    ID=6002 other:  HP      NS E1200-320    5963 (other_device)
    ID=6010 Loader: HP      MSL6000 Series  0520 (Changer0)
    ID=6011 Tape:   HP      Ultrium 4-SCSI  B63W (Tape2147483644)
    ID=6012 Tape:   HP      Ultrium 4-SCSI  B63W (Tape2147483643)
    ID=6013 other:  HP      NS E1200-320    5963 (other_device)
    ID=9000 other:  SYNOLOGYiSCSI Storage (HardDisk)
    STATUS=SUCCESS MSG="OK"
    

    Sample output on Unix

    ./slu scan
    ID=0:0:0:0    Tape:    IBM      ULTRIUM-TD4      BBH4 (/dev/nst0)
    ID=1:0:0:0    Tape:    IBM      ULTRIUM-TD4      BBH4 (/dev/nst1)
    ID=3:0:0:0    other:   ATA      Samsung SSD 850
    ID=5:0:0:0    other:   HL-DT-ST DVDRAM GH24NSB0
    ID=15:0:0:0   other:   Marvell  91xx Config
    ID=16:0:0:0   other:   LSI      9750-4i    DISK
    ID=0:0:0:1    Loader:  SPECTRA  PYTHON           2000 (/dev/sg6)
    STATUS=SUCCESS MSG="OK"
    
  10. Click OK to create the new drive.
  11. Once an LTO (4 or higher) drive group has drives assigned, it becomes encryption capable. To check whether your LTO drive group is encryption capable, right-click it and click Properties. If the LTO drive group is configured correctly, the message This drive group is encryption capable is displayed.

    Information sign.png Note
    Encryption for a drive group will only be available, if there are no older LTO drives (e.g., generation 3) in a group, however a group can contain mixed LTO tapes of generation 4 and higher.

    Drive group encrypt enabled.png


Information sign.png Note
If the drive does not demonstrate the encryption capability, make sure that the application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface.

Creating a media pool for the new LTO (4 or higher) drive group

  1. In the Main Selection -> Components, click Media pools. The Media pools contents frame is displayed.
  2. Click New media pool to define a media pool for the LTO (4 or higher) drive group. The New media pool window is displayed.
  3. In the Name field enter a meaningful name for the media pool.
  4. From the Drive group drop-down list, select the name of your LTO (4 or higher) drive group. As soon as you select the LTO drive group, a new tab Encryption becomes available.
  5. In the Retention time field set the time period for which the media are locked after the initialization or the last backup, thus preserving the save sets and keeping them available for restore. The retention time is defined in days.
  6. Click the Encryption tab of the New media pool window, and then click Enable encryption.
  7. Media pool encrypt enabled.png


  8. Set the password for your tape encryption and re-enter it.
  9. Attention:
    • Make sure that you remember the password, otherwise you won't be able to change the encryption properties again or access data on tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such tape can still be used for backups, but the stored data can only be accessed by SEP sesam.
    • If you change the password, the updated password will take effect only after the tapes are initialized. Until then the old password is still valid.
    • The password is also required to disable encryption.

Initializing media from single LTO drive

To enable the LTO encryption, you have to initialize the LTO tapes, belonging to the LTO media pool. Only after the initialization the LTO tapes are ready for encryption. The LTO tapes that have been loaded before the encryption was set will be encrypted after their EOL expires. Until their EOL is valid, the LTO tapes are not writable, hence the data will be encrypted after they become EOL-free and are initialized again.

To initialize media, go to Activities -> Immediate Start -> Media Action. Choose Media action init, select the Media Pool and the Media you want to initialize. Click OK to start the initialization of the medium. For details, see initialize.

How to verify if encryption is enabled

There are two ways to check whether encryption is enabled. You can either check each individual medium properties or search the day log for encryption-related messages.

Checking media properties

In the Main Selection -> Components -> Media, look for the Encrypted column in the table. Yes means that the medium is encrypted, No means that it is not encrypted. Or, you can double-click a medium in the table to open the Properties dialog. The Encrypted field states whether the medium is encrypted or not (Yes/No).

Media properties.png


Checking day log

For each data protection operation, SEP sesam checks the drive to see if encryption is enabled. You can confirm this by checking the Day log file. For details, see Logging.

  1. In the Main Selection -> Logging, click Day log. The Day log contents frame is displayed.
  2. In the Search field type encrypt* and press Enter. If the LTO encryption is enabled, you will see all related messages displayed. Use Next and Previous buttons to browse through all search results.
  3. Day log part.png

If the LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted, while the data itself is encrypted before it is written to the LTO tape.

See also

Initializing media