Hardware Encryption

Table of Contents

Overview

Several tape drives like LTO4 support encryption of data on the tape drive. These tape drives provide the necessary controls to the backup applications to get the encryption capabilities as well as set the encryption properties on the drive. Some of tape libraries also provide key management services. SnapProtect's Hardware Encryption feature provides key management for those tape libraries which do not support key management by themselves.

Key Management for Hardware Encryption can be enabled in one of the two ways:

  1. SnapProtect Software managing the encryption keys
  2. Hardware/Library managing the encryption keys

SnapProtect Software Managing the Encryption Keys

If the library does not have a license to enable the key management, then you can enable it from the Storage Policy copy level.

Key management includes the ability to generate random encryption keys for stored data and also manage the secure storage of these keys. In addition, it also includes the ability to provide a random encryption key for the tape drive to perform the encryption and decryption of the data. The random key is generated for each chunk in the media so that the strength of the encryption is very high. If all the data in a media is encrypted with the same key, it is susceptible to breakages and thus will have lower strength.

This random key is generated based on FIPS (Federal Information Processing Standard) standards and the same key is not reused for other backup data.

Hardware encryption must be established for each data path and is only available for data paths that direct data to tape libraries.

For each data protection operation, the software checks the drive to see if encryption is supported. If encryption is supported, the software provides the encryption key, which is in turn stored in the CommServe Database Engine when the chunk is written to the media. The encryption key will be stored after scrambling it with a proprietary encryption.

The encryption key gets deleted when the data for that chunk is pruned.

  • Hardware encryption must be enabled only when the drives associated with the data path support encryption. If this option is enabled and the hardware does not support encryption, jobs using the data path will go Pending.
  • For Data Recovery and Auxiliary Copy operations using the CommCell Console, the specific key will be automatically provided by the software for each chunk.
  • For Data Recovery operations using the Media Explorer, an option to store the encryption key on the media is provided in the data path.

Hardware or Library Managing the Encryption Keys

If you have a hardware vendor license applied on the library for key management, and it is enabled, then no additional SnapProtect license and/or configuration is required. In this scenario, the encryption and key management will be done at the hardware level.

The hardware library generates and stores the encryption keys per media and the hardware drive encrypts the data. Therefore, every backup job written to a specific media will have the same key.

If you have hardware encryption (Key Management) enabled on the hardware side and you also have hardware encryption option enabled at storage policy level, the job would go pending stating that:

"The hardware does not support hardware encryption and hardware encryption option should be disabled at the storage policy level".

This is to ensure that the key management must be enabled in only one of the two available ways.

Enable or Disable Hardware Encryption

To enable or disable hardware encryption:

  1. From the CommCell Browser, expand Policies | Storage Policies | <Storage Policy>.
  2. Right-click the appropriate storage policy copy and click Properties.
  3. In the Copy Properties dialog box, click the Data Paths tab, select the appropriate data path, and then click Properties.
  4. In the Data Path Properties dialog box, click the Use Hardware Encryption check box to enable.

    Clear this option to disable.

  5. A message appears that asks if the drives in the library supports data encryption, click Yes.
  6. If enabled, select one of the following options:
    • Via Media Password to enable the encryption keys store on the media.
    • No Access options to disable the encryption keys store on the media.
  7. Click OK and then click OK to close the Copy Properties dialog box.

License Requirement

Hardware Encryption requires the following traditional license:

Feature License Type License Consumption
Hardware Encryption and Key Management Data Encryption 1 license per CommCell

For comprehensive information on licensing, see License Administration.

Support

Hardware encryption is supported by all MediaAgents, if the devices attached to these MediaAgents support encryption. Note that hardware encryption is only supported by tape libraries. Hardware encryption is not applicable for disk library.

Performing Hardware Encryption Configurations from the Command Line Interface

You can use SetDataPathProperty qscript to enable Hardware Encryption settings on a storage policy copy, on all data paths available in the CommCell, on all data paths of a given library and MediaAgent, or on a given data path.

Setting the Hardware Encryption for a Storage Policy Copy

  • To disable Hardware Encryption:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si SP-Copy -si <Storage_Policy_Name> -si <Storage_Policy_Copy_Name> -si 0

  • To enable Hardware Encryption via Media Password:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si SP-Copy -si <Storage_Policy_Name> -si <Storage_Policy_Copy_Name> -si 1

  • To enable Hardware Encryption with No Access:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si SP-Copy -si <Storage_Policy_Name> -si <Storage_Policy_Copy_Name> -si 2

Setting the Hardware Encryption for all Data Paths in a CommCell

  • To disable Hardware Encryption:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si All -si 0

  • To enable Hardware Encryption via Media Password:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si All -si 1

  • To enable Hardware Encryption with No Access:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si All -si 2

Setting the Hardware Encryption for All Data Paths of a Given Library and MediaAgent

  • To disable use Hardware Encryption:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si Lib-MA -si <Library_Name> -si <MediaAgent_Name> -si 0

  • To enable Hardware Encryption via Media Password:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si Lib-MA -si <Library_Name> -si <MediaAgent_Name> -si 1

  • To enable Hardware Encryption with No Access:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si Lib-MA -si <Library_Name> -si <MediaAgent_Name> -si 2

Setting the Hardware Encryption for a Given Data Path

  • To disable Hardware Encryption:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si datapath -si <Storage_Policy_Name> -si <Storage_Policy_Copy_Name> -si <MediaAgent_Name> -si <Library_Name> -si <Drive_Pool_Name> -si <Scratch_Pool_Name> -si 0

  • To enable Hardware Encryption via Media Password:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si datapath -si <Storage_Policy_Name> -si <Storage_Policy_Copy_Name> -si <MediaAgent_Name> -si <Library_Name> -si <Drive_Pool_Name> -si <Scratch_Pool_Name> -si 1

  • To enable Hardware Encryption with No Access:

    qoperation execscript -sn SetDataPathProperty -si HardwareEncryption -si datapath -si <Storage_Policy_Name> -si <Storage_Policy_Copy_Name> -si <MediaAgent_Name> -si <Library_Name> -si <Drive_Pool_Name> -si <Scratch_Pool_Name> -si 2

Related Reports

Jobs in Storage Policy Copies Report

The jobs in Storage Policy Copies Report display information of data encryption jobs with superscript HE (Hardware Encryption) status.

For comprehensive information on this report, refer to Jobs in Storage Policy Copies Report.