Source:LTO Encryption: Difference between revisions

From SEPsesam
mNo edit summary
No edit summary
 
(40 intermediate revisions by 4 users not shown)
Line 1: Line 1:
<div class="noprint">{{Copyright SEP AG en}}
<noinclude><div class="noprint"><languages />
<br />


{{Navigation_latest|release=4.4.2/4.4.3|link=[[Special:MyLanguage/SEP_sesam_Documentation#previous|Documentation archive]]}}</div><br />
<translate>== Overview == <!--T:3--> </translate>


==Overview==
</div></noinclude><translate><!--T:13-->
<div class="boilerplate metadata" id="Additional resources" style="background-color: #f0f0f0; color:#636f73; border: 1px ridge #cdd3db; margin: 0.5em; padding: 0.5em; float: right; width: 35%; "><center><b>
'''LTO generation 4 and higher''' includes the ability for data to be '''encrypted by the tape drive hardware'''. SEP sesam provides native support for managing LTO hardware based encryption by enabling LTO encryption of tape drives at the media pool level.
Additional resources</b></center>
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" | 
[[File:SEP_next.png|45px|link=Special:MyLanguage/Creating_a_Media_Event#initialization|Initializing media]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" | 
See also: [[Special:MyLanguage/Creating_a_Media_Event#initialization|Initializing media]]
|}
 
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" |
[[File:SEP Tip.png|45px|link=Special:MyLanguage/FAQ#encryption_and_compression|FAQ]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |
Check [[Special:MyLanguage/FAQ#encryption_and_compression|FAQ]] for additional information on encryption and compression.
|}
 
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" |
[[File:SEP Troubleshooting.png|45px|link=Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |
Problems? Check the [[Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]].
|}
 
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" |
[[File:icon_archived_docs.png|45px|link=Special:MyLanguage/SEP_sesam_Documentation#Previous_versions|Documentation archive]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |
If you are using an older SEP sesam version, refer to [[Special:MyLanguage/SEP_sesam_Documentation#Previous_versions|Documentation archive]].
|}</div>
'''LTO generation 4 and higher''' includes the ability for data to be '''encrypted by the tape drive hardware'''. SEP sesam provides native support for managing the LTO hardware based encryption by enabling the LTO encryption of tape drives on a media pool level.


During the LTO encryption process the data files are taken from the server and pass through the SCSI interface to the tape drive. The tape drive then [[Special:MyLanguage/SEP_sesam_Glossary#encryption|encrypts]] and [[Special:MyLanguage/SEP_sesam_Glossary#compression|compresses]] the data before it writes it (or decrypts it if reading data) to or from the tape cartridge.
<!--T:14-->
During the LTO encryption process, data files are taken from the server and passed via the SCSI interface to the tape drive. The tape drive then [[Special:MyLanguage/SEP_sesam_Glossary#encryption|encrypts]] and [[Special:MyLanguage/SEP_sesam_Glossary#compression|compresses]] the data before writing it (or decrypts it if reading data) to or from the tape cartridge.</translate>


== {{anchor|drive_type}}Supported drive types ==
=== {{anchor|drive_type}}<translate><!--T:92--> Supported drive types</translate> ===
{| border="2" cellpadding="4" cellspacing="0" style="width:60%; margin: 1em 1em 1em 0; background: #fcfcfc; border: 1px #aaa solid; border-collapse: collapse;"
{| border="2" cellpadding="4" cellspacing="0" style="width:60%; margin: 1em 1em 1em 0; background: #fcfcfc; border: 1px #aaa solid; border-collapse: collapse;"
  |-       
  |-       
|- style="background:#FFCC01; color:#002F55"
|- style="background:#FFCC01; color:#002F55"
  ! scope="col" style="width: 90px; text-align:left;" | <div id="dissimilar">Drive type</div>
  ! scope="col" style="width: 90px; text-align:left;" | <div id="dissimilar"><translate><!--T:16-->
  ! scope="col" style="width: 90px; text-align:left;" | <div id="dissimilar">LTO generation</div>
Drive type</translate></div>
  ! scope="col" style="width: 20px; text-align:left;" |Supported since SEP sesam version                  
  ! scope="col" style="width: 90px; text-align:left;" | <div id="dissimilar"><translate><!--T:17-->
LTO generation</translate></div>
  ! scope="col" style="width: 20px; text-align:left;" |<translate><!--T:18-->
Supported since SEP sesam version</translate>
|-
|LTO Ultrium 9|| LTO 9 || 5.0.0 Jaglion V2 
|-
|-
  | '''*''' This drive type supports encryption, however it has not yet been certified with SEP sesam. || LTO 7 || 4.4.3
|LTO Ultrium 7 (M8), LTO Ultrium 8 (L8)|| LTO 8 || 4.4.3.64 + SP 2019-1
               
|-
  | '''*''' <translate><!--T:19-->
This drive type supports encryption, however it has not yet been certified with SEP sesam.</translate> || LTO 7 || 4.4.3.42


|-
|-
  | '''*''' This drive type supports encryption, however it has not yet been certified with SEP sesam. || LTO 6 || 4.4.3
  | '''*''' <translate><!--T:20-->
This drive type supports encryption, however it has not yet been certified with SEP sesam.</translate> || LTO 6 || 4.4.3


|-
|-
  | HP Ultrium 5-SCSI X64D <br>(SCSI, single tape drive) || LTO 5 || 4.4.2.53
  | HP Ultrium 5-SCSI X64D <br>(<translate><!--T:21-->
SCSI, single tape drive</translate>) || LTO 5 || 4.4.2.53
|-
|-
  | Tandberg HH Z519 <br>(SCSI, single tape drive) || LTO 5 || 4.4.2.53
  | Tandberg HH Z519 <br>(<translate><!--T:22-->
SCSI, single tape drive</translate>) || LTO 5 || 4.4.2.53
|-
|-
  | HP Ultrium 4-SCSI B63W <br>(Fibre Channel, loader) || LTO 4 || 4.4.2.53
  | HP Ultrium 4-SCSI B63W <br>(<translate><!--T:23-->
Fiber Channel, loader</translate>) || LTO 4 || 4.4.2.53
|-
|-
  | IBM Ultrium-HH4 <br>(SCSI, loader) || LTO 4 || 4.4.2.53
  | IBM Ultrium-HH4 <br>(<translate><!--T:24-->
SCSI, loader</translate>) || LTO 4 || 4.4.2.53
|-
|-
  | IBM Ultrium-TD4 BBH4 <br>(Fibre Channel, loader/single tape drive) || LTO 4 || 4.4.2.53
  | IBM Ultrium-TD4 BBH4 <br>(<translate><!--T:25-->
Fiber Channel, loader/single tape drive</translate>) || LTO 4 || 4.4.2.53
|-
|-
  |}
  |}
=== {{anchor|set_up}}<translate><!--T:93--> Setting up LTO encryption</translate> ===
<translate><!--T:27-->
The LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more encryption capable (LTO generation 4 or higher) drives to it. Then you need to create a dedicated [[#media_pool|media pool]]. The final step is to [[Special:MyLanguage/Creating_a_Media_Event#initialization|initialize]] the media, and only is the LTO tape encryption-enabled.</translate>
==== {{anchor|new_LTO}}<translate><!--T:94--> Creating a new LTO (generation 4 or higher) drive group </translate> ====


== {{anchor|set_up}}Setting up the LTO encryption ==
<translate><!--T:29-->
LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more drives to it which are all encryption capable (LTO generation 4 or higher). Afterwards, you need to create a dedicated [[Special:MyLanguage/LTO_Encryption#media_pool|media pool]]. The last step is to [[Special:MyLanguage/Creating_a_Media_Event#initialization|initialize]] the media, and only then the LTO tape is encryption ready.
Typically, large auto-loaders have multiple internal drives that are loaded from a magazine. All drives have to be organized into a group. Make sure to create a separate drive group for the generation 4 or higher LTO drives. Note that encryption will only be available if there are no older LTO drives (e.g. generation 3) in the same group. However such a group can contain mixed generation 4 and higher LTO drives.</translate>


=== {{anchor|new_LTO}}Creating a new LTO (generation 4 or higher) drive group ===
<ol><li><translate><!--T:30-->
In the '''Main Selection''' -> '''Components''' -> '''Tapes''', click '''Drives'''. The ''Drives'' contents frame is displayed.</translate></li>


Usually large auto loaders may have several internal drives, which are loaded from one magazine. All drives have to be organised into a group. Make sure to create a new drive group for the LTO drives generation 4 or higher. Note that the encryption will only be available, if there are no older LTO drives (e.g., generation 3) in a group, however a group can contain mixed LTO tapes of generation 4 and higher.
<li><translate><!--T:31-->
Click '''New Group''' to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click '''OK'''.</translate></li></ol>
#In the '''Main Selection''' -> '''Components''', click '''Drives'''. The ''Drives'' contents frame is displayed.
#Click '''Create New''' to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click '''OK'''.


=== {{anchor|drive}}Creating a drive for the new LTO (4 or higher) drive group ===
==== {{anchor|drive}}<translate><!--T:95--> Creating a drive for the new LTO (4 or higher) drive group</translate> ====
<ol><li><translate><!--T:33-->
Right-click the newly created LTO 4 (or higher) drive group and click '''New Drive''' to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.</translate></li>


<ol><li>Right-click the newly created LTO 4 (or higher) drive group and click '''New Drive''' to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.</li>
<li><translate><!--T:34-->
In the '''Drive name''' field, enter a meaningful name for the drive.</translate></li>  


<li>In the '''Drive Name''' field enter a meaningful name for the drive.</li>  
<li><translate><!--T:35-->
From the '''Drive type''' drop-down list, select '''LTO'''.</translate></li>


<li>From the '''Drive Type''' drop-down list, select '''LTO'''.</li>
<li><translate><!--T:36-->
From the '''Loader''' drop-down list, select the relevant loader from the list of configured loaders or leave it empty if it is a single device.</translate></li>


<li>From the '''Loader''' drop-down list, select the relevant loader from the list of configured loaders or leave it empty in case of a single device.</li>
<li><translate><!--T:37-->
From the '''Device server''' drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.</translate></li>


<li>From the '''Device Server''' drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.</li>
<li><translate><!--T:38-->
From the '''Drive group''' drop-down list, select the newly created LTO drive group.</translate><br />


<li>From the '''Drive Group''' drop-down list, select the newly created LTO drive group.</li>
<translate><!--T:39-->
[[image:New_LTO_drive.jpg|600px|link=]]</translate>
[[image:drive_group.png|link=]]
<br clear=all>
<br clear=all>
</li>
<li><translate><!--T:40-->
In the '''Device (non-rewinding)''' field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewound after the backup.</translate>
{{Tip|<translate><!--T:43-->
You can get the name of the device by running the command: {{Path|<SESAM_BIN>/sesam/slu topology}}<br> (e.g. <tt>Tape0</tt> on Windows or <tt>/dev/nst0</tt> on Unix/Linux).</translate>}}


<li>In the '''Device (non-rewinding)''' field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewinded after backup.</li>
<translate><!--T:44-->
{{Box Hint|Hint|You can get the name of the device by running the command: {{Path|<SESAM_BIN>/sesam/slu topology}} (e.g., <tt>Tape0</tt> on Windows or <tt>/dev/nst0</tt> on Unix/Linux).}}
'''''Sample output on Linux'''''</translate><br />
<nowiki>ID=0000 other:  ATA      ST380013AS </nowiki>
<nowiki>ID=1000 other:  TOSHIBA  ODD-DVD SD-M1802</nowiki>
<nowiki>ID=7040 Tape:    Quantum  DLT4000          D67E (/dev/nst0)</nowiki>
<nowiki>ID=7050 Tape:    Quantum  DLT4000          D67E (/dev/nst1)</nowiki>
<nowiki>ID=7060 Loader:  HP      C1194F          1.04 (/dev/sg4)</nowiki>
<nowiki>STATUS=SUCCESS MSG="OK"</nowiki>
<li><translate><!--T:45-->
Click '''OK''' to create the new drive.  


'''Sample output on Linux'''
<!--T:46-->
ID=0000 other:  ATA      ST380013AS
Once an LTO (4 or higher) drive group has drives assigned to it, it becomes encryption-capable. To verify that your LTO drive group is encryption-capable, double-click it or right-click it and click '''Properties'''. If the LTO drive group is configured correctly, the message ''"This drive group is encryption capable"'' is displayed.</translate>
ID=1000 other:  TOSHIBA  ODD-DVD SD-M1802
ID=7040 Tape:    Quantum  DLT4000          D67E (/dev/nst0)
ID=7050 Tape:    Quantum  DLT4000          D67E (/dev/nst1)
ID=7060 Loader:  HP      C1194F          1.04 (/dev/sg4)
STATUS=SUCCESS MSG="OK"


<li>Click '''OK''' to create the new drive. </li>
{{Note|<translate> <!--T:48-->
Encryption for a drive group is only available if there are no older LTO drives  (e.g., generation 3) in the same group. However, a group can contain mixed LTO tapes of generation 4 and higher.</translate> }}
<translate><!--T:49-->
[[image:Drive_group_encrypt_enabled.jpg|400px|link=]]</translate>
<br clear=all>
</li></li>
</ol>
{{Note|<translate><!--T:51-->
If the drive does not display the encryption capability, make sure that application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface. Also, make sure that your LTO generation's encryption functionality is already supported by SEP sesam.</translate>}}


Once an LTO (4 or higher) drive group has drives assigned, it becomes encryption capable. To check whether your LTO drive group is encryption capable, right-click it and click '''Properties'''. If the LTO drive group is configured correctly, the message ''This drive group is encryption capable'' is displayed.
==== {{anchor|media_pool}}<translate><!--T:96--> Creating a media pool for the new LTO (4 or higher) drive group</translate> ====


{{Note|Encryption for a drive group will only be available, if there are no older LTO drives (e.g., generation 3) in a group, however a group can contain mixed LTO tapes of generation 4 and higher.}}
<translate><!--T:84-->
[[image:drive_group_encrypt_enabled.png|link=]]
After you have assigned one or more drives that are all encryption-capable (LTO generation 4 or higher) to the drive group, you need to create a dedicated media pool and enable encryption.
<br clear=all></ol>
{{Note|If the drive does not demonstrate the encryption capability, make sure that the application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface.}}


=== {{anchor|media_pool}}Creating a media pool for the new LTO (4 or higher) drive group ===
<!--T:85-->
You must first create a new media pool and then enable encryption in the media pool properties. (In older versions ≤ 4.4.3 Grolar, the ''Encryption'' tab for enabling encryption was already available when creating a new media pool).</translate>
<ol><li>In the '''Main Selection''' -> '''Components''', click '''Media pools'''. The ''Media pools'' contents frame is displayed.</li>


<li>Click '''New media pool''' to define a media pool for the LTO (4 or higher) drive group. The ''New media pool'' window is displayed.</li>
<ol><li><translate> <!--T:53-->
In the '''Main Selection''' -> '''Components''', click '''Media Pools'''. The ''Media Pools'' contents frame is displayed.</translate> </li>


<li>In the '''Name''' field enter a meaningful name for the media pool.</li>
<li><translate> <!--T:54-->
Click '''New Media Pool''' to define a media pool for the LTO (4 or higher) drive group. The ''New Media Pool'' window is displayed.</translate> </li>


<li>From the '''Drive group''' drop-down list, select the name of your LTO (4 or higher) drive group. As soon as you select the LTO drive group, a new tab ''Encryption'' becomes available.</li>
<li><translate> <!--T:55-->
In the '''Name''' field enter a meaningful name for the media pool.</translate> </li>


<li>In the '''Retention time''' field set the time period for which the media are locked after the initialization or the last backup, thus preserving the save sets and keeping them available for restore. The retention time is defined in days.</li>
<li><translate> <!--T:56-->
From the '''Drive group''' drop-down list, select the name of your LTO (4 or higher) drive group. The ''Encryption'' tab is available after you create a media pool in the media pool properties.</translate> </li>


<li>Click the '''Encryption''' tab of the New media pool window, and then click '''Enable encryption'''.</li>
<li><translate> <!--T:57-->
In the '''Retention time''' field set the time period for which the media are locked after initialization or the last backup, thus preserving the savesets and keeping them available for restore. The retention time is defined in days.</translate> </li>


[[image:media_pool_encrypt_enabled.png|left|link=]]
<li><translate><!--T:86--> To enable encryption, click '''OK''' to create a media pool. Then double-click this media pool to open its properties. Switch to the ''Encryption'' tab and click '''Enable encryption'''.</translate><br />
 
<translate> <!--T:59-->
[[image:Media_pool_encrypt_enabled.jpg|600px|link=]]</translate>
<br clear=all>
<br clear=all>
</li>
<li><translate><!--T:60-->
Set the '''password''' for your tape encryption and re-enter it.</translate></li>


<li>Set the '''password''' for your tape encryption and re-enter it.</li>
{|style="margin-bottom: 1em; width:100%; border:1px solid #010050;"
{{Box Attention|Attention:|
| rowspan="2" style="padding:0px 10px 0px; width:5%"| [[File:SEP_Warning.png|35px|link=]]
* Make sure that you '''remember the password''', otherwise you won't be able to change the encryption properties again or access data on tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such tape can still be used for backups, but the stored data can only be accessed by SEP sesam.
| style="padding:0px 40px 0px 10px; font-size: 95%; color:black; text-align:left; width:95%" | '''<translate><!--T:89--> Attention </translate>'''
* If you change the password, the updated password will take effect only after the tapes are initialized. Until then the old password is still valid.
|-
* The password is also required to disable encryption.
| style="padding:0px 40px 0px 10px; color: black; font-size: 100%; text-align:left; width:90%" |  
|}}</ol>
 
* <translate><!--T:63-->
Make sure you '''remember the password''', otherwise you won't be able to change the encryption properties or access the data on the tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such a tape can still be used for backups, but only SEP sesam can access the stored data.</translate>
 
* <translate><!--T:64-->
If you change the password, the updated password will only take effect after the tapes have been initialized. Until then, the old password is still valid.</translate>
 
* <translate><!--T:65-->
The password is also required to disable encryption.</translate>
|}
</ol>


=== {{anchor|initialize}}Initializing media from single LTO drive ===
==== {{anchor|initialize}}<translate><!--T:97--> Initializing media from a single LTO drive</translate> ====  
To enable the LTO encryption, you have to initialize the LTO tapes, belonging to the LTO media pool. Only after the initialization the LTO tapes are ready for encryption. The LTO tapes that have been loaded before the encryption was set will be encrypted after their EOL expires. Until their EOL is valid, the LTO tapes are not writable, hence the data will be encrypted after they become EOL-free and are initialized again.


To initialize media, go to '''Activities''' -> '''Immediate Start''' -> '''Media Action'''. Choose Media action '''init''', select the '''Media Pool''' and the '''Media''' you want to initialize. Click OK to start the initialization of the medium. For details, see [[Special:MyLanguage/Creating_a_Media_Event#initialize|initialize]].
<translate><!--T:67-->
To enable LTO encryption, you have to initialize the LTO tapes that belong to the LTO media pool. Only after initialization are the LTO tapes ready for encryption. The LTO tapes that were loaded before encryption was set will be encrypted after their EOL ([[Special:MyLanguage/SEP_sesam_Glossary#EOL|End of Lifetime]]) expires. As long as their EOL is valid, these LTO tapes are not writable. Therefore, the data will be encrypted after they are EOL-free and reinitialized. For more details on tape availability and retention, see [[Special:MyLanguage/Tape_Management#EOL|Tape Management]].


== {{anchor|verify}}How to verify if encryption is enabled ==
<!--T:68-->
There are two ways to check whether encryption is enabled. You can either check each individual medium properties or search the day log for encryption-related messages.
To initialize media, go to '''Activities''' -> '''Immediate Start''' -> '''Media Action'''. Choose Media action '''init''', select the '''Media Pool''' and the '''Media''' you want to initialize. Click OK to start the initialization of the medium. For details, see [[Special:MyLanguage/Creating_a_Media_Event#initialization|Initializing media]].</translate>


=== {{anchor|media_properties}}Checking media properties ===
=== {{anchor|verify}}<translate><!--T:98--> How to verify if encryption is enabled</translate> ===
In the '''Main Selection''' -> '''Components''' -> '''Media''', look for the '''Encrypted''' column in the table. '''Yes''' means that the medium is encrypted, '''No''' means that it is not encrypted. Or, you can double-click a medium in the table to open the ''Properties'' dialog. The '''Encrypted''' field states whether the medium is encrypted or not (Yes/No).
 
[[image:media_properties.png|link=]]
<translate><!--T:70-->
There are two ways to check whether encryption is enabled. You can either check each media properties or search the day log for encryption-related messages.</translate>
 
==== {{anchor|media_properties}}<translate><!--T:99--> Checking the media properties</translate> ====
 
<translate><!--T:72-->
In the '''Main Selection''' -> '''Components''' -> '''Tapes''' -> '''Media''', look for the '''Encrypted''' column in the table. '''Yes''' means that the media is encrypted, '''No''' means it is not encrypted. You can also double-click a medium in the table to open the ''Properties'' dialog. The '''Encrypted''' field indicates whether the medium is encrypted or not (Yes/No).<br />
 
<!--T:80-->
[[image:Media_properties.jpg|600px|link=]]</translate>
<br clear=all>
<br clear=all>


=== {{anchor|day_log}}Checking day log ===
==== {{anchor|day_log}}<translate><!--T:100--> Checking the day log</translate> ====
For each data protection operation, SEP sesam checks the drive to see if encryption is enabled. You can confirm this by checking the '''Day log''' file. For details, see [[Special:MyLanguage/User Manual 4.4#Logging|Logging]]. 


<ol><li>In the '''Main Selection''' -> '''Logging''', click '''Day log'''. The ''Day log'' contents frame is displayed.</li>
<translate><!--T:74-->
For each data protection operation, SEP sesam checks the drive to determine if encryption is enabled. You can confirm this by checking the '''Day log''' file in the Web UI. For details, see [[Special:MyLanguage/Monitoring_and_Reporting#logging|Logging]].


<li>In the '''Search''' field type ''encrypt*'' and press Enter. If the LTO encryption is enabled, you will see all related messages displayed. Use '''Next''' and '''Previous''' buttons to browse through all search results.</li>
<!--T:91-->
The following example shows how to search the Day log in the Web UI.</translate>
<ol><li><translate><!--T:75-->
In the '''Main Navigation''' click '''System Logs''' and then in the content pane select '''Day Log''' in the drop-down list. The ''Day Log'' contents frame is displayed.</translate></li>


[[image:day_log_part.png|link=]]
<li><translate><!--T:76-->
<br clear=all></ol>
In the '''Search''' field type ''encrypt'' and press Enter. If LTO encryption is enabled, all related messages are displayed. Use the '''Next''' and '''Previous''' buttons to scroll through all search results.</translate><br />
 
<translate><!--T:77-->
[[image:Day_log_part.jpg|900px|link=]]</translate>
<br clear=all>
</li></ol>


If the LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted, while the data itself is encrypted before it is written to the LTO tape.
<translate><!--T:78-->
If LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted while the data itself is encrypted before it is written to the LTO tape.</translate>


<div class="noprint">
<noinclude><div class="noprint">{{Copyright}}</div></noinclude>
== See also ==
[[Special:MyLanguage/Creating_a_Media_Event#initialization|Initializing media]]</div>

Latest revision as of 14:18, 18 September 2023

LTO generation 4 and higher includes the ability for data to be encrypted by the tape drive hardware. SEP sesam provides native support for managing LTO hardware based encryption by enabling LTO encryption of tape drives at the media pool level.

During the LTO encryption process, data files are taken from the server and passed via the SCSI interface to the tape drive. The tape drive then encrypts and compresses the data before writing it (or decrypts it if reading data) to or from the tape cartridge.

Supported drive types

Drive type
LTO generation
Supported since SEP sesam version
LTO Ultrium 9 LTO 9 5.0.0 Jaglion V2
LTO Ultrium 7 (M8), LTO Ultrium 8 (L8) LTO 8 4.4.3.64 + SP 2019-1
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 7 4.4.3.42
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 6 4.4.3
HP Ultrium 5-SCSI X64D
(SCSI, single tape drive)
LTO 5 4.4.2.53
Tandberg HH Z519
(SCSI, single tape drive)
LTO 5 4.4.2.53
HP Ultrium 4-SCSI B63W
(Fiber Channel, loader)
LTO 4 4.4.2.53
IBM Ultrium-HH4
(SCSI, loader)
LTO 4 4.4.2.53
IBM Ultrium-TD4 BBH4
(Fiber Channel, loader/single tape drive)
LTO 4 4.4.2.53

Setting up LTO encryption

The LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more encryption capable (LTO generation 4 or higher) drives to it. Then you need to create a dedicated media pool. The final step is to initialize the media, and only is the LTO tape encryption-enabled.

Creating a new LTO (generation 4 or higher) drive group

Typically, large auto-loaders have multiple internal drives that are loaded from a magazine. All drives have to be organized into a group. Make sure to create a separate drive group for the generation 4 or higher LTO drives. Note that encryption will only be available if there are no older LTO drives (e.g. generation 3) in the same group. However such a group can contain mixed generation 4 and higher LTO drives.

  1. In the Main Selection -> Components -> Tapes, click Drives. The Drives contents frame is displayed.
  2. Click New Group to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click OK.

Creating a drive for the new LTO (4 or higher) drive group

  1. Right-click the newly created LTO 4 (or higher) drive group and click New Drive to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.
  2. In the Drive name field, enter a meaningful name for the drive.
  3. From the Drive type drop-down list, select LTO.
  4. From the Loader drop-down list, select the relevant loader from the list of configured loaders or leave it empty if it is a single device.
  5. From the Device server drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.
  6. From the Drive group drop-down list, select the newly created LTO drive group.
    New LTO drive.jpg
  7. In the Device (non-rewinding) field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewound after the backup.
    SEP Tip.png Tip
    You can get the name of the device by running the command: <SESAM_BIN>/sesam/slu topology
    (e.g. Tape0 on Windows or /dev/nst0 on Unix/Linux).

    Sample output on Linux

    ID=0000 other:   ATA      ST380013AS 
    ID=1000 other:   TOSHIBA  ODD-DVD SD-M1802
    ID=7040 Tape:    Quantum  DLT4000          D67E (/dev/nst0)
    ID=7050 Tape:    Quantum  DLT4000          D67E (/dev/nst1)
    ID=7060 Loader:  HP       C1194F           1.04 (/dev/sg4)
    STATUS=SUCCESS MSG="OK"
    
  8. Click OK to create the new drive. Once an LTO (4 or higher) drive group has drives assigned to it, it becomes encryption-capable. To verify that your LTO drive group is encryption-capable, double-click it or right-click it and click Properties. If the LTO drive group is configured correctly, the message "This drive group is encryption capable" is displayed.
    Information sign.png Note
    Encryption for a drive group is only available if there are no older LTO drives (e.g., generation 3) in the same group. However, a group can contain mixed LTO tapes of generation 4 and higher.

    Drive group encrypt enabled.jpg

Information sign.png Note
If the drive does not display the encryption capability, make sure that application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface. Also, make sure that your LTO generation's encryption functionality is already supported by SEP sesam.

Creating a media pool for the new LTO (4 or higher) drive group

After you have assigned one or more drives that are all encryption-capable (LTO generation 4 or higher) to the drive group, you need to create a dedicated media pool and enable encryption.

You must first create a new media pool and then enable encryption in the media pool properties. (In older versions ≤ 4.4.3 Grolar, the Encryption tab for enabling encryption was already available when creating a new media pool).

  1. In the Main Selection -> Components, click Media Pools. The Media Pools contents frame is displayed.
  2. Click New Media Pool to define a media pool for the LTO (4 or higher) drive group. The New Media Pool window is displayed.
  3. In the Name field enter a meaningful name for the media pool.
  4. From the Drive group drop-down list, select the name of your LTO (4 or higher) drive group. The Encryption tab is available after you create a media pool in the media pool properties.
  5. In the Retention time field set the time period for which the media are locked after initialization or the last backup, thus preserving the savesets and keeping them available for restore. The retention time is defined in days.
  6. To enable encryption, click OK to create a media pool. Then double-click this media pool to open its properties. Switch to the Encryption tab and click Enable encryption.
    Media pool encrypt enabled.jpg
  7. Set the password for your tape encryption and re-enter it.
  8. SEP Warning.png Attention
    • Make sure you remember the password, otherwise you won't be able to change the encryption properties or access the data on the tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such a tape can still be used for backups, but only SEP sesam can access the stored data.
    • If you change the password, the updated password will only take effect after the tapes have been initialized. Until then, the old password is still valid.
    • The password is also required to disable encryption.

Initializing media from a single LTO drive

To enable LTO encryption, you have to initialize the LTO tapes that belong to the LTO media pool. Only after initialization are the LTO tapes ready for encryption. The LTO tapes that were loaded before encryption was set will be encrypted after their EOL (End of Lifetime) expires. As long as their EOL is valid, these LTO tapes are not writable. Therefore, the data will be encrypted after they are EOL-free and reinitialized. For more details on tape availability and retention, see Tape Management.

To initialize media, go to Activities -> Immediate Start -> Media Action. Choose Media action init, select the Media Pool and the Media you want to initialize. Click OK to start the initialization of the medium. For details, see Initializing media.

How to verify if encryption is enabled

There are two ways to check whether encryption is enabled. You can either check each media properties or search the day log for encryption-related messages.

Checking the media properties

In the Main Selection -> Components -> Tapes -> Media, look for the Encrypted column in the table. Yes means that the media is encrypted, No means it is not encrypted. You can also double-click a medium in the table to open the Properties dialog. The Encrypted field indicates whether the medium is encrypted or not (Yes/No).

Media properties.jpg

Checking the day log

For each data protection operation, SEP sesam checks the drive to determine if encryption is enabled. You can confirm this by checking the Day log file in the Web UI. For details, see Logging.

The following example shows how to search the Day log in the Web UI.

  1. In the Main Navigation click System Logs and then in the content pane select Day Log in the drop-down list. The Day Log contents frame is displayed.
  2. In the Search field type encrypt and press Enter. If LTO encryption is enabled, all related messages are displayed. Use the Next and Previous buttons to scroll through all search results.
    Day log part.jpg

If LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted while the data itself is encrypted before it is written to the LTO tape.

Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.