5 1 0:LTO Encryption

From SEPsesam


Welcome to the latest SEP sesam documentation version 5.1.0 Apollon. For previous documentation version(s), check documentation archive.


Overview


LTO generation 4 and higher includes the ability for data to be encrypted by the tape drive hardware. SEP sesam provides native support for managing LTO hardware based encryption by enabling LTO encryption of tape drives at the media pool level.

During the LTO encryption process, data files are taken from the server and passed via the SCSI interface to the tape drive. The tape drive then encrypts and compresses the data before writing it (or decrypts it if reading data) to or from the tape cartridge.

Supported drive types

Drive type
LTO generation
Supported since SEP sesam version
LTO Ultrium 9 LTO 9 5.0.0 Jaglion V2
LTO Ultrium 7 (M8), LTO Ultrium 8 (L8) LTO 8 4.4.3.64 + SP 2019-1
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 7 4.4.3.42
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 6 4.4.3
HP Ultrium 5-SCSI X64D
(SCSI, single tape drive)
LTO 5 4.4.2.53
Tandberg HH Z519
(SCSI, single tape drive)
LTO 5 4.4.2.53
HP Ultrium 4-SCSI B63W
(Fiber Channel, loader)
LTO 4 4.4.2.53
IBM Ultrium-HH4
(SCSI, loader)
LTO 4 4.4.2.53
IBM Ultrium-TD4 BBH4
(Fiber Channel, loader/single tape drive)
LTO 4 4.4.2.53

Setting up LTO encryption

The LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more encryption capable (LTO generation 4 or higher) drives to it. Then you need to create a dedicated media pool. The final step is to initialize the media, and only is the LTO tape encryption-enabled.

Note
If you are using an external device for encryption on HPE tape drives (such as a hardware dongle), do not activate tape encryption with a password in the SEP sesam media pool. HPE tape drives cannot use both encryption methods simultaneously.

Creating a new LTO (generation 4 or higher) drive group

Typically, large auto-loaders have multiple internal drives that are loaded from a magazine. All drives have to be organized into a group. Make sure to create a separate drive group for the generation 4 or higher LTO drives. Note that encryption will only be available if there are no older LTO drives (e.g. generation 3) in the same group. However such a group can contain mixed generation 4 and higher LTO drives.

  1. In the Main Selection -> Components -> Tapes, click Drives. The Drives contents frame is displayed.
  2. Click New Group to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click OK.

Creating a drive for the new LTO (4 or higher) drive group

  1. Right-click the newly created LTO 4 (or higher) drive group and click New Drive to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.
  2. In the Drive name field, enter a meaningful name for the drive.
  3. From the Drive type drop-down list, select LTO.
  4. From the Loader drop-down list, select the relevant loader from the list of configured loaders or leave it empty if it is a single device.
  5. From the Device server drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.
  6. From the Drive group drop-down list, select the newly created LTO drive group.

  7. In the Device (non-rewinding) field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewound after the backup.
    Tip
    You can get the name of the device by running the command: <SESAM_BIN>/sesam/slu topology
    (e.g. Tape0 on Windows or /dev/nst0 on Unix/Linux).

    Sample output on Linux

    ID=0000 other:   ATA      ST380013AS 
    ID=1000 other:   TOSHIBA  ODD-DVD SD-M1802
    ID=7040 Tape:    Quantum  DLT4000          D67E (/dev/nst0)
    ID=7050 Tape:    Quantum  DLT4000          D67E (/dev/nst1)
    ID=7060 Loader:  HP       C1194F           1.04 (/dev/sg4)
    STATUS=SUCCESS MSG="OK"
    
  8. Click OK to create the new drive. Once an LTO (4 or higher) drive group has drives assigned to it, it becomes encryption-capable. To verify that your LTO drive group is encryption-capable, double-click it or right-click it and click Properties. If the LTO drive group is configured correctly, the message "This drive group is encryption capable" is displayed.
    Note
    Encryption for a drive group is only available if there are no older LTO drives (e.g., generation 3) in the same group. However, a group can contain mixed LTO tapes of generation 4 and higher.


Note
If the drive does not display the encryption capability, make sure that application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface. Also, make sure that your LTO generation's encryption functionality is already supported by SEP sesam.

Creating a media pool for the new LTO (4 or higher) drive group

After you have assigned one or more drives that are all encryption-capable (LTO generation 4 or higher) to the drive group, you need to create a dedicated media pool and enable encryption.

You must first create a new media pool and then enable encryption in the media pool properties. (In older versions ≤ 4.4.3 Grolar, the Encryption tab for enabling encryption was already available when creating a new media pool).

  1. In the Main Selection -> Components, click Media Pools. The Media Pools contents frame is displayed.
  2. Click New Media Pool to define a media pool for the LTO (4 or higher) drive group. The New Media Pool window is displayed.
  3. In the Name field enter a meaningful name for the media pool.
  4. From the Drive group drop-down list, select the name of your LTO (4 or higher) drive group. The Encryption tab is available after you create a media pool in the media pool properties.
  5. In the Retention time field set the time period for which the media are locked after initialization or the last backup, thus preserving the savesets and keeping them available for restore. The retention time is defined in days.
  6. To enable encryption, click OK to create a media pool. Then double-click this media pool to open its properties. Switch to the Encryption tab and click Enable encryption.

  7. Set the password for your tape encryption and re-enter it.
  8. Attention
    • Make sure you remember the password, otherwise you won't be able to change the encryption properties or access the data on the tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such a tape can still be used for backups, but only SEP sesam can access the stored data.
    • If you change the password, the updated password will only take effect after the tapes have been initialized. Until then, the old password is still valid.
    • The password is also required to disable encryption.

Initializing media from a single LTO drive

To enable LTO encryption, you have to initialize the LTO tapes that belong to the LTO media pool. Only after initialization are the LTO tapes ready for encryption. The LTO tapes that were loaded before encryption was set will be encrypted after their EOL (End of Lifetime) expires. As long as their EOL is valid, these LTO tapes are not writable. Therefore, the data will be encrypted after they are EOL-free and reinitialized. For more details on tape availability and retention, see Tape Management.

To initialize media, go to Activities -> Immediate Start -> Media Action. Choose Media action init, select the Media Pool and the Media you want to initialize. Click OK to start the initialization of the medium. For details, see Initializing media.

How to verify if encryption is enabled

There are two ways to check whether encryption is enabled. You can either check each media properties or search the day log for encryption-related messages.

Checking the media properties

In the Main Selection -> Components -> Tapes -> Media, look for the Encrypted column in the table. Yes means that the media is encrypted, No means it is not encrypted. You can also double-click a medium in the table to open the Properties dialog. The Encrypted field indicates whether the medium is encrypted or not (Yes/No).


Checking the day log

For each data protection operation, SEP sesam checks the drive to determine if encryption is enabled. You can confirm this by checking the Day log file in the Web UI. For details, see Logging.

The following example shows how to search the Day log in the Web UI.

  1. In the Main Navigation click System Logs and then in the content pane select Day Log in the drop-down list. The Day Log contents frame is displayed.
  2. In the Search field type encrypt and press Enter. If LTO encryption is enabled, all related messages are displayed. Use the Next and Previous buttons to scroll through all search results.

If LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted while the data itself is encrypted before it is written to the LTO tape.


See also

Initializing mediaEncryption Support MatrixTape ManagementAbout Logging