Topics | How To | Related Topics
Several tape drives like LTO4 support encryption of data on the tape drive. These tape drives provide the necessary controls to the backup applications to get the encryption capabilities as well as set the encryption properties on the drive. Some of tape drives also provide key management services. Hardware Encryption provides key management for those tape drives which do not support key management by themselves.
Key management includes the ability to generate random encryption keys for stored data and also manage the secure storage of these keys. In addition it also includes the ability to provide a random encryption key for the tape drive to perform the encryption and decryption of the data. The random key is generated for each chunk in the media so that the strength of the encryption is very high. If all the data in a media is encrypted with the same key, it is susceptible to breakages and thus will have lower strength.
Hardware encryption must be established for each data path and is only available for data paths that direct data to tape libraries.
For each data protection operation, the software checks the drive to see if encryption is supported. If encryption is supported, the software provides the encryption key, which is in turn stored in the CommServe Database Engine when the chunk is written to the media. The encryption key will be stored after scrambling it with a proprietary encryption.
For Data Recovery and Auxiliary Copy operations using the CommCell Console, the specific key will be automatically provided by the software for each chunk.
For Data Recovery operations using the Media Explorer, an option to store the encryption key on the media is provided in the data path.
| Hardware encryption must be enabled only when the drives associated with the data path support encryption. If this option is enabled and the hardware does not support encryption, jobs using the data path will fail. |
Hardware encryption is supported by all MediaAgents, if the devices attached to these MediaAgents support encryption. Note that hardware encryption is only supported by tape libraries. Hardware encryption is not applicable for magnetic and optical libraries.
While hardware encryption is the fastest method of encrypting data, you can also encrypt storage policy copies using auxiliary copy encryption. This capability allows you to select portions of data you wish to encrypt and does not require any specialized media or hardware.
See Auxiliary Copy Encryption for more information.