Encrypting tape: Software vs. hardware and key management

Encrypting data is a high priority for businesses these days. This tip will help you become familiar with the formats of encryption and the importance of key management.

What you will learn from this tip: Encrypting data is a high priority for businesses these days. Become familiar with the formats of encryption and the importance of key management.

Encrypting backup tapes isn't so much a question of "if" but "when," which means a lot of enterprises are struggling with the question of "how."

The two major approaches to tape encryption involve using software or specialized hardware. Both have drawbacks and the choice ultimately comes down to the balancing those drawbacks against the characteristics of the particular enterprise.

Drawbacks or not, tape encryption is bearing down on IT like a rapidly approaching freight train.

"This is one area where CEOs are not going to wait for regulations," Ravi Chalaka, vice president of marketing for Maxxan Systems, a San Jose, Calif.-based maker of virtual tape libraries (VTL) says. Recent legislation, notably in California, has forced companies to disclose losses of customer information, resulting in a flood of news reports as major banks and others have announced the possible compromise of tapes containing the data of millions of customers. The resulting bad publicity has helped to make companies extremely sensitive, Chalaka says, and is driving them to encrypt their backups.

However, Chalaka notes that only about 25% of companies encrypt their tapes today. The result is a mad scramble for tape encryption in enterprises of all sizes -- and a flood of announcements of tape encryption products.

There are a number of hardware and software approaches to encryption available. Most major tape software vendors offer encryption as an option, and there are a number of encryption appliances from companies like Avax International Inc. and Decru Inc. that use hardware to handle the encryption. There are also specialized hardware products, such as the one from Intradyn Inc., which encrypts e-mail backups. A number of stand-alone software packages, such as Alliance for the IBM iSeries from Patrick Townsend & Associates, are also available.

The major advantages of the encryption appliances are flexibility and speed. Their disadvantages are cost and lack of scalability. Software encryption is cheaper, but slower.

Encryption, to a secure level, is a compute-intensive process, especially when it's being done on the scale of a full backup. Software encryption is slower and can prolong an already-tight backup in progress. Furthermore, encryption appliances are usually able to handle anything that is being backed up, no matter what the operating system, file structure or other characteristics.

One way to work around the disadvantages of tape encryption is to limit what is encrypted. Rather than encrypting all the backed-up data, only encrypt the most critical information, such as customer data. This is a common strategy, especially in enterprises using software encryption.

Currently, Chalaka says, most enterprises that encrypt their tapes are using software encryption; hardware encryption is just beginning to take hold in the market.

Using any kind of tape encryption means dealing with key management. If the keys are lost or corrupted the tapes are unreadable, and if they are compromised the security is compromised as well. Before you begin using any type of tape encryption, you must have an effective, robust and secure method of key management in place.

"We need an architecture that will encrypt without any degradation of performance, [and] at the same time be able to scale and be able to do all this with simple, effective key management," Chalaka says.

Until that architecture arrives, storage administrators will have some painful choices -- but most of them will still encrypt their tapes.

For more information:

How to keep stored data out of enemy hands

About the author: Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years, he has been a freelance writer specializing in storage and other computer issues.

This was first published in July 2005

Dig Deeper on Secure data storage



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:



  • Tintri VMstore T5000

    Like all of its VM-aware storage systems, Tintri’s first all-flash array -- the Tintri VMstore T5000 -- allows admins to bypass ...

  • SolidFire SF9605

    The high-capacity SolidFire SF9605 uses SolidFire’s Element OS 8 (Oxygen) to deliver new enterprise features such as synchronous ...

  • HPE 3PAR StoreServ 20850

    HPE 3PAR StoreServ 20850 holds 1,024 solid-state drives (SSDs). Hewlett Packard Enterprise claims it can deliver more than three ...





  • Asigra Cloud Backup Version 13

    Asigra Cloud Backup Version 13 provides an AWS Elastic Block Store Snapshot Manager and the ability to support Docker container ...

  • Veeam Availability Suite v8

    Veeam Availability Suite v8 offers several key backup software components in one package, including Veeam Cloud Connect, Snapshot...

  • Druva inSync 5.5

    Druva inSync 5.5 endpoint backup software stands out with its proactive compliance, cloud app integration, full text search and ...