[nylug-talk] Recommendations for encrypted tape drive(s)?

Chris Knadle Chris.Knadle at coredump.us
Tue Mar 4 12:28:05 EST 2008 

> On 3/4/08, Sunny Dubey <sunny at opencurve.org> wrote:
> > On Monday 03 March 2008 11:15:42 pm R. Mariotti wrote:
> >  > Does anyone have any experience with any drive encrypted devices or
> >  > recommend SCSI tape drives that perform encryption?
> >
> > I hate to ask the obvious question ...
> >
> >  But why not encrypt on the software layer ?

On Tuesday 04 March 2008, Luis Murillo wrote:
> Software compression and encryption means that the backup job will
> take longer, specially when data is being transfered to the tape
> drive, and delaying the stream of data is something that you don't
> want to happen since it will create more wear and tare with the media.
> If data is not streamed to the drive fast enough then it will cause
> for the drive to stop rewind and start writing again...all throughout
> the process the head will be touching the media in order to go back to
> the point where the last bit of data was written and this is what
> causes for the media to be worn out faster.

   This has to do with the method used to encrypt the data; an encrypted tar 
could be prepared ahead of time and then streamed to the tape, with the 
obvious downside that doing so requires space (and time) to do that.  If a 
disk-to-disk-to-tape backup method is used that can illeviate at least _some_ 
of the time part of the problem.

   Another thought I have is that hardware can have bugs just like software 
does (like the Pentium math bug, etc) and all CPUs have errata.  Several 
encryption algorithms have been broken in recent years, or weaknesses have 
been found in them (RC4, RC5, MD5, etc) so if you decide to go with a 
hardware-based tape encryption, you might want to find out if it's at least 
firmware flashable in case it needs an update.  [Hmm and will the old tapes 
be readable if you do?]

> So the hardware encryption and compression are done on the tape drive
> itself which means that the system can simply dedicate it's resources
> to streaming the data to the tape drive and not have to use processing
> power to do that.

   It just means the processing is done by the drive, and probably fewer (if 
any) choices of what cipher it uses to encrypt the data with.  If the 
implementation is software independent, and there are no required settings to 
do the encryption, then that also means that an identical drive should be 
able to retrieve the data.  And if the encrypted data *can't* be retrieved by 
a duplicate drive model, then a drive failure means loss of all prior 
backups.  Either way, that's a problem.


   So for all of these reasons I would personally tend to have more faith in a 
software encryption solution rather than a hardware one, even with the 
obvious downsides.  I'm not making a recommendation of one over the other 
overall, though.  I don't have a lot of experience with tape drives, and no 
personal experience with tape drives that do internal encryption.

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us

More information about the nylug-talk mailing list