Source:LTO Encryption

From SEPsesam
Revision as of 14:09, 5 August 2020 by Sta (talk | contribs) (Fixed heading levels and excluded items from print for SBA book.)
Other languages:
Template:Copyright SEP AG en
Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.2/4.4.3 Beefalo V2. For previous documentation version(s), check Documentation archive.


Overview

LTO generation 4 and higher includes the ability for data to be encrypted by the tape drive hardware. SEP sesam provides native support for managing the LTO hardware based encryption by enabling the LTO encryption of tape drives on a media pool level.

During the LTO encryption process the data files are taken from the server and pass through the SCSI interface to the tape drive. The tape drive then encrypts and compresses the data before it writes it (or decrypts it if reading data) to or from the tape cartridge.

Supported drive types

Drive type
LTO generation
Supported since SEP sesam version
LTO Ultrium 7 (M8), LTO Ultrium 8 (L8) LTO 8 Note 4.4.3.64 + SP 2019-1
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 7 4.4.3.42
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 6 4.4.3
HP Ultrium 5-SCSI X64D
(SCSI, single tape drive)
LTO 5 4.4.2.53
Tandberg HH Z519
(SCSI, single tape drive)
LTO 5 4.4.2.53
HP Ultrium 4-SCSI B63W
(Fiber Channel, loader)
LTO 4 4.4.2.53
IBM Ultrium-HH4
(SCSI, loader)
LTO 4 4.4.2.53
IBM Ultrium-TD4 BBH4
(Fiber Channel, loader/single tape drive)
LTO 4 4.4.2.53
Note

Hardware encryption for LTO 8 is not supported for SEP sesam ≤ 4.4.3.64. However, it is possible to use the LTO encryption by installing the current service pack of January 2019 which contains a newer version of the required slu executable for your operating system, available at https://download.sep.de/servicepacks/4.4.3/4.4.3.64/ .

Setting up the LTO encryption

LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more drives to it which are all encryption capable (LTO generation 4 or higher). Afterwards, you need to create a dedicated media pool. The last step is to initialize the media, and only then the LTO tape is encryption ready.

Creating a new LTO (generation 4 or higher) drive group

Usually large auto loaders may have several internal drives, which are loaded from one magazine. All drives have to be organized into a group. Make sure to create a discrete drive group for the LTO drives of generation 4 or higher. Note that encryption will only be available if there are no older LTO drives (e.g. of generation 3) in the same group; however such a group can contain mixed LTO drives of generation 4 and higher.

  1. In the Main Selection -> Components, click Drives. The Drives contents frame is displayed.
  2. Click New Group to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click OK.

Creating a drive for the new LTO (4 or higher) drive group

  1. Right-click the newly created LTO 4 (or higher) drive group and click New Drive to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.
  2. In the Drive name field enter a meaningful name for the drive.
  3. From the Drive type drop-down list, select LTO.
  4. From the Loader drop-down list, select the relevant loader from the list of configured loaders or leave it empty in case of a single device.
  5. From the Device server drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.
  6. From the Drive group drop-down list, select the newly created LTO drive group.
    New LTO drive Beefalo V2.jpg
  7. In the Device (non-rewinding) field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewound after backup.
    SEP Tip.png Tip
    You can get the name of the device by running the command: <SESAM_BIN>/sesam/slu topology
    (e.g. Tape0 on Windows or /dev/nst0 on Unix/Linux).

    Sample output on Linux

    ID=0000 other:   ATA      ST380013AS 
    ID=1000 other:   TOSHIBA  ODD-DVD SD-M1802
    ID=7040 Tape:    Quantum  DLT4000          D67E (/dev/nst0)
    ID=7050 Tape:    Quantum  DLT4000          D67E (/dev/nst1)
    ID=7060 Loader:  HP       C1194F           1.04 (/dev/sg4)
    STATUS=SUCCESS MSG="OK"
    
  8. Click OK to create the new drive. Once an LTO (4 or higher) drive group has drives assigned, it becomes encryption capable. To check whether your LTO drive group is encryption capable, double click it or right-click it and click Properties. If the LTO drive group is configured correctly, the message "This drive group is encryption capable" is displayed.
    Information sign.png Note
    Encryption for a drive group will only be available, if there are no older LTO drives (e.g. generation 3) in the same group; however a group can contain mixed LTO tapes of generation 4 and higher.

    Drive group encrypt enabled Beefalo V2.jpg

Information sign.png Note
If the drive does not demonstrate the encryption capability, make sure that application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface. Also make sure that encryption functionality of your LTO generation is already supported by SEP sesam.

Creating a media pool for the new LTO (4 or higher) drive group

After you have assigned one or more drives which are all encryption capable (LTO generation 4 or higher) to the drive group, you need to create a dedicated media pool and enable encryption.

In v. ≤ 4.4.3 Grolar, the Encryption tab where you can enable encryption is available when creating a new media pool. As of v. 4.4.3 Beefalo, you first have to create a new media pool and then enable encryption in the media pool properties.

  1. In the Main Selection -> Components, click Media Pools. The Media Pools contents frame is displayed.
  2. Click New Media Pool to define a media pool for the LTO (4 or higher) drive group. The New Media Pool window is displayed.
  3. In the Name field enter a meaningful name for the media pool.
  4. From the Drive group drop-down list, select the name of your LTO (4 or higher) drive group. In v. ≤ 4.4.3 Grolar, as soon as you select the LTO drive group, a tab Encryption becomes available. From v. 4.4.3 Beefalo, a tab Encryption is available after creating a media pool in the media pool properties.
  5. In the Retention time field set the time period for which the media are locked after the initialization or the last backup, thus preserving the savesets and keeping them available for restore. The retention time is defined in days.
  6. To enable encryption, depending on your SEP sesam version, proceed as follows:
    • In v. > 4.4.3 Beefalo, click OK to create a media pool. Then double-click this media pool to open its properties. Switch to the Encryption tab and click Enable encryption.
    • In v. ≤ 4.4.3 Grolar, switch to the Encryption tab, and then click Enable encryption.
    Media pool encrypt enabled Beefalo V2.jpg
  7. Set the password for your tape encryption and re-enter it.
  8. SEP Warning.png Attention
    • Make sure to remember the password, otherwise you won't be able to change the encryption properties again or access data on tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such tape can still be used for backups, but the stored data can only be accessed by SEP sesam.
    • If you change the password, the updated password will take effect only after the tapes are initialized. Until then the old password is still valid.
    • The password is also required to disable encryption.

Initializing media from single LTO drive

To enable the LTO encryption, you have to initialize the LTO tapes, belonging to the LTO media pool. Only after the initialization the LTO tapes are ready for encryption. The LTO tapes that have been loaded before the encryption was set will be encrypted after their EOL expires. Until their EOL is valid, these LTO tapes are not writable, hence the data will be encrypted after they become EOL-free and are initialized again.

To initialize media, go to Activities -> Immediate Start -> Media Action. Choose Media action init, select the Media Pool and the Media you want to initialize. Click OK to start the initialization of the medium. For details, see Initializing media.

How to verify if encryption is enabled

There are two ways to check whether encryption is enabled. You can either check each individual medium's properties or search the day log for encryption-related messages.

Checking media properties

In the Main Selection -> Components -> Media, look for the Encrypted column in the table. Yes means that the medium is encrypted, No means that it is not encrypted. Or, you can double-click a medium in the table to open the Properties dialog. The Encrypted field states whether the medium is encrypted or not (Yes/No).

Media properties Beefalo V2.jpg

Checking day log

For each data protection operation, SEP sesam checks the drive to see if encryption is enabled. You can confirm this by checking the Day log file. For details, see Logging.

  1. In the Main Selection -> Logging, click Day Log. The Day Log contents frame is displayed.
  2. In the Search field type encrypt and press Enter. If the LTO encryption is enabled, you will see all related messages displayed. Use Next and Previous buttons to browse through all search results.
    Day log part Beefalo V2.jpg
Information sign.png Note
As of 4.4.3 Beefalo V2, you can also check your logs online by using new Web UI (System logs -> Day log). For details, see SEP sesam Web UI.

If the LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted, while the data itself is encrypted before it is written to the LTO tape.