Admin Alert: Four Ways to Encrypt i5/OS Backups, Part 2
May 20, 2009 Joe Hertvik
In the last Admin Alert, I started discussing four techniques for encrypting i5/OS backups for greater protection and to satisfy auditors and government agencies. Last week, I focused on software techniques. This week, I’ll turn my attention to hardware-based encryption techniques. I’ll look at what options are available when you purchase specific hardware for your system and how those devices affect your backup strategies.
What Hath Come Before
As I explained last week, you generally have four options to encrypt backup media from your i5/OS systems.
All of these techniques do the job but they also exact some sort of processing price on your system. In general, software-based encryption techniques are prone to the following problems:
If you don’t want to use software-based encryption techniques, you can move to a hardware-based technique. Here’s what I’ve learned about hardware-based encryption and how these techniques affect your backup capabilities.
Hardware Encryption with LTO4 and TS1120 Drives
Hardware encryption is available for i5/OS backups by using Ultrium LTO4 fibre tape drives and TS1120 enterprise tape drives. Both types of drives must be used in conjunction with a tape library to encrypt i5/OS backups (no stand-alone devices).
The benefits of hardware-based encryption are two-fold. First, hardware encryption occurs at the tape drive/tape library level, not at the software level. So you remove the i5/OS processing overhead typically associated with software-based encryption, and your backups should run faster. The second benefit is that because it is not based on the i5/OS operating system, hardware encryption with BRMS can be implemented with earlier i5/OS versions. You are not required to upgrade to i5/OS V6R1 as you would if you were using native i5/OS software encryption.
When using hardware encryption with Ultrium LTO4 tape drives, it’s important to understand that encryption is a standard part of the LTO4 format, which requires that all LTO4 drives must be encryption aware. However, encryption aware doesn’t mean that all LTO4 tape drives are encryption-enabled. Implementation of LTO4 encryption is considered optional and some manufacturers may not have enabled encryption capability in their drives. So make sure that any LTO4 drives you purchase are encryption-enabled. Similarly, some of the tape libraries that support TS1120 drives only have on/off capabilities for encryption, which means that you may have to change the library setting to encrypted mode to produce encrypted backups.
LTO4 drives can read LTO2 and LTO3 formatted tapes, but they can only read and write LTO3 and LTO4 tapes. This means that you can still read archived backups that were recorded on older tapes. However, encryption is only available on these drives when you write data out to an LTO4 tape; it is not available for LTO3 tapes. One of the downsides in moving to LTO4 encryption technology is that you have to replace your current inventory of backup tapes with brand new LTO4 tapes. This means that if you typically have an inventory of 150 LTO3 tapes that you are going to replace with LTO4 media, at an average cost of $60/tape you could easily spend $9,000 just in swapping out your current tapes. If you’re using a TS1120 drive, you also need encryption-capable media, and you may also need to replace existing media when moving to encrypted backups.
Another problem with using both LTO4 and TS1120 drives is that i5/OS can only attach to and perform encrypted backups using a fibre channel connection between your iSeries, System i, or Power i machine and a fibre connected drive. If you want to use these solutions, you may have to purchase and install an additional dedicated fibre channel IOP card to support the drive. Also, i5/OS can only support Library Managed Encryption (LME), it cannot perform System Managed Encryption (SME) or Application Managed Encryption. This means that i5/OS data cannot be encrypted to a stand-alone LTO4 or TS1120 drive units; your system must be connected to an encryption-capable drive that resides in a tape library unit in order to perform encrypted backups.
In addition to the drives themselves, you will also need to run an Encryption Key Manager (EKM) server on at least one other server besides the i5/OS partition that you are backing up. The tape library talks to the EKM to retrieve the encryption keys. IBM recommends that you have multiple EKMs present in your network (at least two) and at any recovery sites so that the tape library can always find the keys. The EKM software is a no-charge Java-based offering that runs on i5/OS, AIX, Linux, z/OS, Windows, HP, and Sun servers, so you can install it on other pieces of hardware.
Finally, similar to the issues I discussed last week with software encryption solutions, hardware encrypted backups can be challenging when restoring your system. The backup and restore process will be more complicated because you will need to devise a technique to restore the operating system and the EKM first before restoring objects on your encrypted backup.
Non-IBM Hardware Encryption with 10ZiG Tape Drives
In addition to using LTO4 and TS1120 tape drives and libraries for hardware encryption, 10ZiG Technology (formerly BOSaNOVA) also offers its Q3i tape drive with built-in encryption capabilities. The Q3i is unique because it encrypts backups to LTO2 and LTO3 tapes (but not LTO4), so you can continue to use your existing inventory of backup LTO backup tapes (i.e., you wouldn’t have to cycle out old tapes if your current technology uses LTO2 or LTO3 tapes).
The Q3i also works with any host with SCSI LVD, SCSI HVD, iSCSI, or Fibre Channel connectivity, so i5/OS encrypted backups are not a problem. Key management is performed by entering keys into the product’s GUI interface, and an optional hardware key can be used to provide additional protection. So there is no need to set up an external Encryption Key Manager server. Finally, 10ZiG states that the Q3i works with existing operating system versions and backup software, so there may be no need to change your existing backup routines to use this drive.
When looking at the Q3i, the biggest downside is that LTO3 tapes only have a native backup capacity of 400 Gb and a possible 2:1 compressed ratio capacity of 800 Gb versus LTO4 tapes’ native capacity of 800 Gb and a possible 2:1 compressed ratio capacity of 1600 Gb. So while you can remain with older tape media technology with the Q3i, you also remain with the lower tape capacity. It should be noted however, that this same limitation exists for any software or hardware that allows you to produce encrypted backups to LTO3 tapes.
Hardware Encryption Through an Inline Appliance Solution
If you want to add encrypted backup capability to your existing backup scenario, the final option is to use an inline encryption device or appliance. An inline device is inserted between your i5/OS partition and its companion tape drive, and it encrypts the data on the fly as it is sent to the drive. Encryption devices offer the following advantages over using other methods.
One of the more popular encryption appliances is DISUK’s Paranoia3 In-line Tape Encryption unit. In North America, DISUK has OEMed the entire range of Paranoia products to 10ZiG, which are marketed as the Q3e and Q3 Backup Storage Security Encryption appliances. Paranoia and Q3 products are also distributed by Avax International and Midland Information Systems in North America. The FalconStor Virtual Tape Library (VTL) also offers encryption for i5/OS data that is exported to physical tape.
Like the other techniques, there are a few disadvantages to using these devices. As opposed to the LTO4 and TS1120 tape drives, some inline encryption device versions cannot be inserted into an i5/OS backup chain that is connected via fibre channel technology. These devices may only be compatible with Ultra Fast Wide SCSI LVD, S/E or HVD interfaces. So if you’re looking at an inline appliance, be sure to match up your available IOPs with the supported interfaces on the drives. You’ll also need to purchase additional encryption devices if you’re performing a disaster recovery drill or running a Capacity BackUp (CBU) unit in a second location.
One Destination, Four Paths
In the last two weeks, I attempted to provide a high level overview of how you can encrypt your tape backups. My hope is that you can use this information as a springboard for your own research when you need to implement your own backup encryption solution.