Encrypting/protecting tapes

[RoyG]

Hello,

We like to protected our tapes by encrypting them or protect them with a password. I see Legato is talking about password protection and encrypting in their whitepapers but no word on how to do it.

Has somebody any idea on how to protecd the tapes and prevent another person from reading the data?

 

[sdeb]

Yes, hide them ! (just a joke).

I think that it only concerns "User backups" but I'm probably wrong.

You simply have to check a box if you want to encrypt and
another one if you want to protect your backup (and then you must specify a password).
The password must be specified for the restauration.

The problem with passwords is that we forgot them so ...
I personnaly never use them.
If you want to protect your tape, and if you could do it,
you'd better have to put it somewhere this person cannot access.

 

[cptb]

You can set up directives with encryptasm and password protection on Windows platform. I don't think that's an option on Unix. Legato will enhance their security on the next version of NetWorker(7) but it will only be encryption of data traffic. Not on Tape, becuse they feel that tapes should be secured in a safe and in the robot anyway.

 

[tremblyj]

Hi,

This encryption stuff is for backup software which is unsecured. Legato has so much anti-piracy schemes built into their registration process that it would be like breaking into Fort Knox for a couple of gold bars !!!!

I think that the fact that if someone were to get a hold of your backup tapes, they would need to restore the Networker server from them using the SSID number that corresponds to that particular tape. They would also have to have the identical hardware that your backup server has as well as the identcal partitioning scheme and your Legato Base Enabler as well as your Registration ID from Legato which you obtained with your system ID and your Base Enabler which is based on your H/W config and partion setup.

Honestly, how likely is it for a person to accomplish all of these things ? The only person who could do it would be YOU !!!! You're the ONLY person that your organization should be concerned about. Are you going to steal your own backup tape and the base enabler and the system ID and the SSID and get an IDENTICAL machine and restore an IDENTICAL version of your Networker server and then try to get data off of the tape.

It would be easier to steal the backup server itself...

: )

 

[cptb]

Hold your horses..
To be able to read someone elses tapes you would Only have to have the same type of tapedrives and server name. Just mount the tape and run scanner ( -i \\.\Tape0) to rebulid the the indexes and mediadatabases. Then you're up and running. Great isn't it?

 

[tremblyj]

Have you ever tested that ?

 

[teopl]

tremblyj,

cptb is right. I assume by "mount" he means insert the tape into the drive, because you don't have to mount the tape with Networker to run scanner. You'll actually find it won't mount a tape not in the media database.

When you do a disaster recovery or move your server, you'll find that after restoring the resource files and media database that you have 15 days to enter the enabler codes to continue backups. Recoveries aren't disabled at that time, and since that's what you'd want to do if you have a stack of tapes, seems like it shouldn't be a problem.

The client that you're recovering to must match the OS of the client you're recovering, but we've recovered from tapes that were saved to a UNIX Networker server using an NT Networker server, just by scanning in the savesets we needed and doing a command-line recover for that saveset.

-John

 

[tremblyj]

So does anyone know how to turn on encryption ?

: )

 

[cptb]

Use local or central directives with xlateasm.