Re: [Networker] New libraries with LTO-4 & encryption
2008-07-24 18:11:20
ranClark, Patti wrote:
Some $$ have come our way and management made the decision that we are
going to LTO-4 and encryption. That being said, we've moved forward on
the research and pricing. Before we actually place the order I want to
see if anyone else has had [b]leading edge experience in this area that
might provide me with questions that I haven't thought to ask or
suggestions on how to handle some of the aspects that are new with the
technology. We've looked at appliances and have decided not to go that
way.
The current system is RHEL4, NWv7.3.3 (server and clients) with a mix of
RHEL, Solaris, OSX, and Win clients,
1 - SCSI attached library with 3 LTO-2 drives.
The new system will be RHEL4 or 5 (updated with new HBAs), NWv7.4.2 same
client mix
1 - FC attached library (Quantum i500) with 3 LTO-4 drives (IBM) - at
least 2 drives will have encryption enabled.
Software to perform encryption key management
I've kept track of the HBA discussions, IBM drive info, Networker
upgrade threads, and anything else related. I expect to upgrade
Networker and then the OS prior to the HW switch. Not much has been
said about encryption. Does it work as advertised? Is it fairly
seamless? Networker doesn't really see any difference and it's business
as usual? How about key management? Do I believe the sales materials?
I've used this. When you get the key management set up and running, yes
it is totally transparent to NetWorker. In theory you lose a tiny amount
of throughput, but the LTO-4 drives are so fast in the first place that
you are unlikely to be able to drive them fast enough to see a difference.
The question is, what are you going to use to manage the encryption?
Some backup apps are capable of managing this, NetWorker is not one of
them. TSM is, but this is probably because IBM has a vested interest in
encryption since they are an LTO vendor.
In my case, my customer controlled the encryption from an IBM TS3500
library (AKA 3584). The key management software is called EKM and runs
on one or more Unix boxes (probably Windows too). It was tricky to set
up, even with the help of the IBM "expert" who I don't think had done
this before. The problems mainly revolved around Java versions (quelle
surprise) and some inconsistencies between different versions of the
software on different platforms.
Once it was working it worked very well. The encryption can be
selectively enabled based on barcode ranges. You can have a large number
of keys if you desire. If the key manager software is stopped, normal
operations will continue until such time as a tape needs labelling, at
which point you see perplexing (apparent) media failures. Restarting EKM
fixes this.
IMHO this is a better option than an encryption appliance and certainly
better than the limited functionality supplied by any backup software
package such as NetWorker. The big drawback of NetWorker encryption of
course is that you lose compression when you use it. This will impact on
throughput and media usage. Apparently the IBM TS1120 drives offer even
better capabilities in terms of key management than LTO-4, but at a price.
I predict that in a few years everyone will use drive-based hardware
encryption and the other methods will die. Only low end drives will be
unencrypted. I could be wrong.
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|