Topics | How To | Related Topics
Several tape drives like LTO4 support encryption of data on the tape drive. These tape drives provide the necessary controls to the backup applications to get the encryption capabilities as well as set the encryption properties on the drive. Some of tape libraries also provide key management services. Calypso's Hardware Encryption feature provides key management for those tape libraries which do not support key management by themselves.
Key Management for Hardware Encryption can be enabled in one of the two ways:
If the library does not have a license to enable the key management, then you can enable it from the Storage Policy copy level.
Key management includes the ability to generate random encryption keys for stored data and also manage the secure storage of these keys. In addition, it also includes the ability to provide a random encryption key for the tape drive to perform the encryption and decryption of the data. The random key is generated for each chunk in the media so that the strength of the encryption is very high. If all the data in a media is encrypted with the same key, it is susceptible to breakages and thus will have lower strength.
| This random key is generated based on FIPS (Federal Information Processing Standard) standards and the same key is not reused for other backup data. |
Hardware encryption must be established for each data path and is only available for data paths that direct data to tape libraries.
For each data protection operation, the software checks the drive to see if encryption is supported. If encryption is supported, the software provides the encryption key, which is in turn stored in the CommServe Database Engine when the chunk is written to the media. The encryption key will be stored after scrambling it with a proprietary encryption.
The encryption key gets deleted when the data for that chunk is pruned.
|
If you have a hardware vendor license applied on the library for key management, and it is enabled, then no additional Calypso license and/or configuration is required. In this scenario, the encryption and key management will be done at the hardware level.
The hardware library generates and stores the encryption keys per media and the hardware drive encrypts the data. Therefore, every backup job written to a specific media will have the same key.
| If you have hardware encryption (Key
Management) enabled on the hardware side and
you also have hardware encryption option enabled at storage
policy level, the job would go pending stating that: "The hardware does not support hardware encryption and hardware encryption option should be disabled at the storage policy level". This ensures that the key management must be enabled in one of the two available ways. If both are enabled, the hardware/library managing the encryption keys always takes precedence. |
Hardware encryption is supported by all MediaAgents, if the devices attached to these MediaAgents support encryption. Note that hardware encryption is only supported by tape libraries. Hardware encryption is not applicable for disk and optical libraries.
The jobs on Storage Policy Copies Report display the information of data encryption jobs with superscript HE (Hardware Encryption) status.
While hardware encryption is the fastest method of encrypting data, you can also encrypt storage policy copies using auxiliary copy encryption. This capability allows you to select portions of data you wish to encrypt and does not require any specialized media or hardware.
See Auxiliary Copy Encryption for more information.