[nylug-talk] Recommendations for encrypted tape drive(s)?

Luis Murillo lmurillo at codebeta.net
Tue Mar 4 13:14:53 EST 2008 

The hardware encryption uses a key, at least on the LTO4 drives that
I've worked with, so although you don't really select the encryption
algorithm that is used you do use a key to encrypt and decrypt the
data.
That's how the encryption is activated on the first place...it's not
just an option that can be enabled by marking some checkbox...you have
to provide a key. If you loose the key then you will sure have one
heck of a time getting your data back since you'll need to crack it.
As far as the encryption algorithm be changed from one to another
completely different I have no idea but I would assume it's something
within the firmware. But I guess it would be more possible that a
company releases a whole new drive with the new encryption algorithm
than change the one on the old one.

LM

On 3/4/08, Chris Knadle <Chris.Knadle at coredump.us> wrote:
> > On 3/4/08, Sunny Dubey <sunny at opencurve.org> wrote:
>  > > On Monday 03 March 2008 11:15:42 pm R. Mariotti wrote:
>  > >  > Does anyone have any experience with any drive encrypted devices or
>  > >  > recommend SCSI tape drives that perform encryption?
>  > >
>  > > I hate to ask the obvious question ...
>  > >
>  > >  But why not encrypt on the software layer ?
>
>
> On Tuesday 04 March 2008, Luis Murillo wrote:
>  > Software compression and encryption means that the backup job will
>  > take longer, specially when data is being transfered to the tape
>  > drive, and delaying the stream of data is something that you don't
>  > want to happen since it will create more wear and tare with the media.
>  > If data is not streamed to the drive fast enough then it will cause
>  > for the drive to stop rewind and start writing again...all throughout
>  > the process the head will be touching the media in order to go back to
>  > the point where the last bit of data was written and this is what
>  > causes for the media to be worn out faster.
>
>
>    This has to do with the method used to encrypt the data; an encrypted tar
>  could be prepared ahead of time and then streamed to the tape, with the
>  obvious downside that doing so requires space (and time) to do that.  If a
>  disk-to-disk-to-tape backup method is used that can illeviate at least _some_
>  of the time part of the problem.
>
>    Another thought I have is that hardware can have bugs just like software
>  does (like the Pentium math bug, etc) and all CPUs have errata.  Several
>  encryption algorithms have been broken in recent years, or weaknesses have
>  been found in them (RC4, RC5, MD5, etc) so if you decide to go with a
>  hardware-based tape encryption, you might want to find out if it's at least
>  firmware flashable in case it needs an update.  [Hmm and will the old tapes
>  be readable if you do?]
>
>
>  > So the hardware encryption and compression are done on the tape drive
>  > itself which means that the system can simply dedicate it's resources
>  > to streaming the data to the tape drive and not have to use processing
>  > power to do that.
>
>
>    It just means the processing is done by the drive, and probably fewer (if
>  any) choices of what cipher it uses to encrypt the data with.  If the
>  implementation is software independent, and there are no required settings to
>  do the encryption, then that also means that an identical drive should be
>  able to retrieve the data.  And if the encrypted data *can't* be retrieved by
>  a duplicate drive model, then a drive failure means loss of all prior
>  backups.  Either way, that's a problem.
>
>
>    So for all of these reasons I would personally tend to have more faith in a
>  software encryption solution rather than a hardware one, even with the
>  obvious downsides.  I'm not making a recommendation of one over the other
>  overall, though.  I don't have a lot of experience with tape drives, and no
>  personal experience with tape drives that do internal encryption.
>
>    -- Chris
>
>
>  --
>
>  Chris Knadle
>  Chris.Knadle at coredump.us
>
> _____________________________________________________________________________
>  Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
>  The nylug-talk mailing list is at nylug-talk at nylug.org
>  The list archive is at http://nylug.org/pipermail/nylug-talk
>  To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk
>


-- 
LuisM

More information about the nylug-talk mailing list