Encryption key management

Data Encryption
Encryption keys
Research Assistant
SAN switches
Tape drives
Looking for info on encryption of data for backup purposes, either at the tape drive, VTL, SAN switch or some type of appliance in the backup path. Encryption Key management is more critical than the encryption solution. This request for help was originally submitted to the Research Assistant on WhatIs.com.

Answer Wiki

Thanks. We'll let you know when a new response is added.

<b>From OSSG</b>: Encryption is a tool that needs a very clear objective. You can put it on most any level of the backup flow, but each level has its own risk characteristics.

Most people simply want to avoid headlines like “company xyz lost a backup tape with 2.99E8 customer credit card numbers on it”. This can be done with tape encryption.

Tape encryption can be done several ways: on the host or on the tape device are the most common. Most current lines of tape drives have encryption built in. LTO4 , and IBM’s jaguar drives both do, but LTO3 and before do not. If your drives themselves will do the encryption, this usually allows you to continue using compression as they will compress the data and then encrypt it. Performing the encryption somewhere else, will add entropy to the data, rendering it uncompressable. Drive based encryption also prevents your backup host from having to do a fairly processor intensive encryption task on top of its usual workload.

Once you know how you will do your encryption, you need to start worrying about a key manager. If you have your host perform the backups, it will have to manage the keys. Your tape vendor should also be able to provide a key manager that can either work on its own, or interface with a host’s key manager. The goal is to have the private keys available in case of a restore, even if the site (or key management server) is compromised. The best way to do this is to have the key manager database replicated or copied off site in a secure manner.

<b>From Jervin</b>: SAN encryption is also available, on fibre channel and IP SANs, which would offer a different level of protection for data “inside the building.” Key management can be handled a the host level, or tied in with other security efforts. [In addition to tape,] you should also look like encrypting the disk drives of any system you have, especially if it is accessible via the outside, or leaves the building: laptops, webservers or mail servers that have access to sensitive data in the intranet, and so on.

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Kevin Beaver
    Check out the solutions that nuBridges has to offer...they may have what you're looking for.
    27,520 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: