DP9.04 - Query on Drive based encryption

Hi Team,

We are using DP 9.04 , HP MSL library having LTO6 drives. Backup tapes are going to offsite. Tapes are of HP Model.

At DR site, We have IBM tape library having LTO 6 tape drive.  (compatible with DP 9.04 & HP tapes)

Now Customer is asking to enable encryption on backup tapes (in case any tape gets misplace during trasport and should not be read by any third party). 

Question :

-> If I enable drive based encryption (Drive-> setting-> advanced->drive based encryption),  would I be able to read the tapes on IBM tape library?

-> What is the method of reading the encrypted tapes at DR site (IDB tape and data tape). Kindly help to provide steps for decryption .

thnx

Tags:

Parents
  • >Would I be able to read the tapes on IBM tape library?

     

    Does that library support drive based encryption?  And if it does, you would need to transfer the encryption keys to the DR site.

  • Hi Daniel, IBM drives are encryption capable.

    Kindly suggest, How to transfer the encryption keys.

  • >How to transfer the encryption keys?

     

    You'll need to read the DP and IBM documentation.

  • Verified Answer

    Hi brits,

    in case Data Protector provides encryption keys at backup time to the LTO drive you can read them directly in case you load them by a Media Agent that is part of the originating cell. This should work regardless of the LTO tape drive vendor. Hardware encryption kits will most likely fail.

    If the remote site has seperate Cell Manager you need to export the keys and import them on the remote Cell Manager first. This is done by omnikeytool.

    # list and export keys
    omnikeytool -list -active
    omnikeytool -export CVSFile -entity EntityName
    omnikeytool -export CVSFile -time Day Hour Day Hour
    
    # import keys into keystore
    omnikeytool -import CVSFile

    Regards,
    Sebastian Koehler

     

  • Thanks a lot Sebastian for the information.

    Remote site (DR site) has different cell manager.

    Please correct me if my understanding is wrong : I need to run export command on daily basis on production site cell manager and copy CSV file at DR site cell manager (<DP path>\Config\Server\import\keys). This is to ensure the updated keys are available at DR site and can be used for decryption in case of actual DR happens and for IDB recovery.

     At DR site, IDB recovery sequence would be :

    • Run “omnikeytool -import CVSFile” command
    • Run “Import” of Latest IDB backup media
    • Restore IDB
  • This look correct to me. Make sure to test and document it properly.

    If this answeres your question, please mark it resolved and assign a Kudo. :)

    Regards,
    Sebastian Koehler

Reply Children