This article can also be found in the Premium Editorial Download "Storage magazine: New rules change data retention game."
Download it now to read this article plus other related content.
Where should encryption reside?
With stories of lost tape media regularly making headlines, "encryption is the killer app for tape," says Dave Kenyon, Sun's director of enterprise tape automation. But questions remain about the role tape libraries should play in the management of encrypted data, or if they should play any role at all.
The need to encrypt data stored on tape is becoming a given, more for political rather than technical reasons. "There is no knowledge of where anyone has read data from a lost tape," says Molly Rector, Spectra Logic's director of technical marketing. "Yet publicly traded companies must make public announcements when a tape is lost. Encrypting data on the tape would prevent companies from having to make this announcement, thereby saving them face."
The two main questions in this debate are what device or application should do the encryption and how the keys should be managed. Tape library vendors mostly agree that encryption belongs in the tape drive. While backup software products like Symantec Corp.'s Veritas NetBackup offer encryption as an option, this approach unnecessarily locks users into a specific application and requires that application to be available before data can be decrypted and restored.
Allowing the tape drive to perform encryption has a number of benefits. It largely removes the potentially proprietary nature of encrypted data if the encryption is done by the backup software. Tape drives aren't
Spectra Logic offers an option to handle the CPU overhead created by the encryption process, which takes place outside of the tape library. The optional Quad Interface Processor (QIP) module for its Spectra T950 library acts as a switch between the SAN-attached Fibre Channel (FC) port and internal FC tape drive. This module handles the processing associated with encryption. Whether other tape library vendors will offer a similar module is questionable at this time. The Sun StorageTek Crypto-Ready T10000 encrypting tape drive relies on Sun's Crypto Key Management Station (KMS), an appliance built on a Sun workstation, for its key management.
This was first published in September 2007