BackBox® H4.00 Tape Encryption Option HP Part Number: 748419-002 Published: March 2014 Edition: G06.24, H06.06 or J06.
Legal Notice © Copyright 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents Table of Contents ...................................................................... i Introduction ............................................................................. 2 SUPPORTED OPERATIONAL ENVIRONMENTS ................................................................. 2 BACKBOX VTC ENCRYPTION CHARACTERISTICS ........................................................... 3 Key Manager Server....................................................................................
Configuration Introduction This Manual documents the tape encryption provided by the BackBox software running in VTC servers. These manuals can help during the configuration and operation of tape encryption. BackBox User Manual General BackBox User manual. BackPak Troubleshooting and Messages Manual List of EMS error messages generated by the BackPak products. Tape volumes can be encrypted by the BackBox VTC software or by the storage subsystem where the media is written by BackBox.
Configuration BackBox VTC encryption characteristics The BackBox VTC tape emulation performs block level encryption. Block level encryption permits compression of each clear block of data before encrypting it. This improves the utilization of the storage while keeping the data-at-rest secure. The BackBox tape emulation implements IEEE P1619.1 standard for tape-based encryption using the Advanced Encryption Standard algorithm and the Galois Counter Mode (known as AES-GCM) algorithm.
Configuration − the list of possible Clients able to reach the Key Manager server. Key Manager client BackBox tape emulation software can interact with Key management in two different ways: • For a VLE setup, the client to the Key manager is the CLIM (for ESKM only) • For a non-VLE setup, the client is the BackBox software in VTC (for ESKM or KMIP).
Configuration The HP ESKM server generates and stores the keys, usually in a cluster of ESKM servers replicating each other the keys. The ESKM clusters could be split across multiple sites for site diversity.
Configuration STORAGE - Status TAPE \NSBLDE4.$VTE400, ENCRYPTION Media Not present or encryption status unknown Drive MasterKeyName.... N2108001086022114_S066666C1002541 KeyAlgorithm..... GCM-AES KeySize.......... 256 KeyGenPolicy..... KeyPerTape When the KeyPerTape key generation policy is set (via SCF), each tape written by the tape drive will use a unique encryption key. Each time data is rewritten on the media, (e.g.
Configuration STORAGE - Status TAPE \NSBLDE4.$VTE400, ENCRYPTION Media Not present or encryption status unknown Drive MasterKeyName.... N2108001086022114_S066666C1002541 KeyName.......... N2108001086022114_2011023101234 KeyAlgorithm..... GCM-AES KeySize.......... 256 KeyGenPolicy..... KeyPerDrive As with KeyPerTape, when the media’s data is rewritten, a Media Key Name is used to identify the key that was used by the tape drive at encryption time.
Configuration The illustrations above show examples of drive status of media backup with current Drive key context. Below are examples for the same media after renewal of the drive encryption key. STORAGE - Status TAPE \NSBLDE4.$VTE400, ENCRYPTION Media KeyName.......... N7566B3CCLAB035D873833A969D0008_BBBBBBBB_1911112113 KeyAlgorithm..... GCM-AES KeySize.......... 256 Drive MasterKeyName.... N2108001086022114_S066666C1002541 KeyName.......... N2108001086022114_20111118134512 KeyAlgorithm.....
Configuration Non-VLE setup BackBox software includes a key management client to interface with Key Manager server. This allows tape encryption to the whole range of NonStop systems. All tape device types supported by BackBox, CART3480, LTO 3 and LTO 4, can encrypt. VTCs are registered as clients to the Key Manager Server. In the BackBox configuration, VTC with encryption devices licensed are named VTC Client and can be assigned to an ESKM or a KMIP Key manager ID.
Configuration • Usage of encryption is not restricted to LTO 4 media type. LTO 3 and CART3480 can also be used. • VTC Client will use KeyPerTape method when requesting a new key even VLE the key generation policy KeyPerDevice is used for VLE managed LTO 4 devices.
Configuration How it works with the BackPak Domain A BackPak license key must be installed that allows encryption for the VTCs that will encrypt.
Configuration The Key manager ID is a logical identifier that becomes important when there are more than one operational Key Manager server in a site and for D/R operations where three duplications are to be managed: • The replication of encrypted virtual volumes • The replication of catalogs (BackPak, DSM/TC and TMF catalogs). Notice the Key Manager ID that is an arbitrary BackPak ID, is part of the BackPak replicated catalogue; Key Manager IDs must be planned from an enterprise point of view.
Configuration Also each volume encrypted has encryption information in the Volume Details page of the BackBox UI that shows the last encryption state when the volume was last written. It is a good practice to run periodically the batch job OBB038 (List of encrypted volumes) to keep track of encrypted volume over time period for Key Management purpose and to verify that encryption has not been turned off (purposely or accidentally) for volumes that are supposed to be encrypted.
Configuration Configuring BackBox software encryption Enabling encryption in the BackPak Domain Without the encryption license option, the tab ‘Key Manager’ does not appears and the encryption cannot be configured. The encryption is controlled at two levels in the BackPak license key: • Global control by the Encryption option • In each VTC the maximum number of virtual drives operating concurrently with encryption is limited.
Configuration 15 BackBox H4.
Configuration Configuring for VLE Volume Level Encryption requires creation of a security officer to allow a member of the SUPER group to perform VLE operations and configuration tasks.
Configuration Step Description 2. Stop all tape drives emulated by the VTC to update NonStop, at the SCF command prompt: RESET TAPE $G8*, FORCE 3. Delete the tape drives to change to LTO4 (List in Step 1) NonStop, at the SCF command prompt: DELETE TAPE $G86133 4. Stop the VTC Emulator (FC) Service In a Remote Desktop session to the VTC In the MS-Windows menu, Administrative tools, select Services. Locate the VTC Emulator (FC) service. Right-click on it and select Stop. 5.
Configuration Step 6. Update the VTC internal configuration Description Windows menu: Start, All Programs, VTC Configuration Right-click on the file BBFcEmulPortCfg.xml to Edit it with NotePad Replace LTO3 by LTO4 on the devices that will be VLE 18 BackBox H4.
Configuration Step 7. Restart the VTC Emulator (FC) Service Description In the MS-Windows menu, Administrative tools, select Services. Locate the VTC Emulator (FC) service. Right-click on it and select Start. If there is a syntax error, the service will stop immediately. If the service stops, check the reason in the Event log: In the MS-Windows menu, Administrative tools, select Event Viewer, Applications and Services Logs, Virtual Tape Controller. 8.
Configuration Step 10. Restart the tape drives emulated by the VTC Description At the SCF command prompt: START TAPE $ Check in EMS the messages reporting the tape drives starting. Verify the NonStop systems recognized the LTO4 media type: MEDIACOM INFO TAPEDRIVE MEDIACOM - T6028H01 (21JAN2013) (C) Copyright 1993-2002, 2004 Hewlett-Packard Company, L.P.
Configuration Step 12. Update the Domain configuration with the new drives attributes Description Log-in the BackPak UI, go to the Configuration, VTC page. Select the VTC Switch to the configuration Edit mode Select the Refresh tab, select the Guardian node and click the Refresh button; the response time might reach near a minute. The already configured drives will be updated to LTO4 and VLE.
Configuration • Stop the tape drive • Alter the tape drive with attribute: KEYGENPOLICY NOENCRYPTION • Start the tape drive • Status tape drive with attribute: ENCRYPTION to validate result When done, STOP all the tape drives again and replace the failed FC HBA by following the “Replacing an FC Target card in an existing VTC Server FC setup” instructions in the BackPak FC Connection Installation manual.
Configuration • • Select the Add link from the VLE-CLIM Client Information section and: o Select a CLIM ID proposed in the drop down box o Click on the ADD VLE-CLIM Client button. The selected entry will appears in an CLIM ID table bellow the button o Repeat for each wanted entries Click on the Save link The CLIM ID drop down box entries proposed are all CLIM connected with a virtual LTO 4 tape device with a VLE key generation policy activated.
Configuration • Select the Configuration menu and select the Switch to Edit mode (if not already in) • Select the VT Controller tab • Select a VT Controller ID • Click on the Update devices based on the probe result from VTC and all host link (operation can take time to execute) • Validate appropriate virtual tapes drives are used by VLE • Repeat for other VT Controller ID. • Click on the Save link Configuring for Non-VLE In this setup, the VTC is a client to the Key Manager.
Configuration o Be able to access key owned by VTC group member o Be able to delete key owned by VTC group member (if key deletion automation will be enable for SCRATCH media) ESKM Note: If Key manager server type is ESKM and VTC Client are not intent to be used in collaboration with VLE, a local group named BackPak should be created and VTC’s username added to it.
Configuration c:\OpenSSL-Win64\bin>openssl ClientCert.pem req -newkey rsa:1024 -keyout ClientKey.pem -out REQ- Loading 'screen' into random state - done Generating a 1024 bit RSA private key .......................................++++++ ..........................++++++ writing new private key to 'ClientKey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----You are about to be asked to enter information that will be incorporated into your certificate request.
Configuration command window, you display the file contain of the certificate request has follow. c:\OpenSSL-Win64\bin>type REQ-ClientCert.
Configuration d. Click Sign Request. The Key Manager signs the client certificate request with the Local CA and displays the signed client certificate: 28 BackBox H4.
Configuration 6. 7. 8. 9. C) Select and copy the signed client certificate text from -----BEGIN CERTIFICATE ----- through -----END CERTIFICATE -----. (Or used download) Create a file name ClientCert.pem and paste the signed certificate contain. (Or rename the file you download) Download the CA certificate and name the file CACert.pem Move the 3 file ClientKey.pem, ClientCert.pem and CACert.pem to the designate TSL configuration files location. You can delete the file REQ-ClientCert.pem 29 BackBox H4.
Configuration Adding the Key Manager in BackBox configuration This activity should be accomplish by the Security Authority user. The Security Authority user should have a NonStop user account whit enough privilege to modify the BackPak Domain configuration. Logon to the BackPak UI interface. See user interface details Key Manager. • Select the Configuration menu and select the Switch to Edit mode • Select the Key Manager tab • Select the targeted Key Manager ID.
Configuration ESKM Key Manager information KMIP Key Manager information • Select the Add link from the VTC Client Information section and: 31 BackBox H4.
Configuration o Select a VT Controller ID in the drop-down list. ATTENTION: Check the displayed number of Encryption Devices: a VTC must be licensed for at least one encryption device to be functional. o Enter the User ID to be used by the VTC to login to Key Manager. o Enter the Password to be used by the VTC to login to Key Manager. o Enter the Key Pass-phrase need by the VTC to access the private key for the TLS/SSL communication channel with the Key Manager.
Configuration • Select the Volume Group tab • Select or Create a Volume Group ID • In the Class Information • o Select the AES-GCM-256 in the Encryption Algorithm drop down list box o Select the target Key Manager ID from it drop down list box If the setup is for VLE, the Volume Group Media Type must be LTO 4 IMPORTANT: If you already have a Volume Group that you have been using and want to encrypt content on its media from now on using VLE-CLIM Client, you can simply modify its Media Type to LTO
Configuration The test results will be reported in a dialog box. The report will help troubleshoot connectivity problem that could prevent encryption to work correctly. Tests can be perform at any time or after encryption configuration change.
User interface details Configuration VT Controller The VTC configuration matters only in a setup for VLE. It is used to verify: - The Device type in the internal configuration of the VTC (FCConfig.txt) is set for LTO4 • NonStop SCF configured the drive for VLE (ALTER TAPE $... , KEYGENPOLICY KEYPERTAPE) Key Manager The Key Manager is an external server generating and storing encryption keys, the encryption itself being processed in the BackBox VTC for all configuration types.
In the domain configuration: The encryption is enabled in the Volume Group configuration, by the attributes ‘Encryption algorithm’ and ‘Key manager ID’. Each Key manager is configured by: - A general common set of attributes, such as the Key manager ID, the Key manager server type, its TCIP address for the VTC clients. - A VTC client to the Key manager for each VTC that will have to connect directly to the Key manager for encrypting/decrypting during tape drive emulation.
Key Manager – General definition Key Manager Information Key Manager ID: BackPak internal ID for the Key manager. This ID will be referred to by the Volume Group and each encrypted volume. This ID must be unique from an enterprise point of view. Server Type: Two possibilities: ESKM: HP Enterprise Security Key Manager KMIP: Key Management Interoperability Protocol Server Type cannot be modified once the Key Manager created.
IP Address: List of addresses that will be tried by the VTC Clients to reach the Key Manager. Key Manager – VTC Clients When the encryption keys are managed by the VTC tape emulator directly connected to the Key manager, each VTC that will encrypt/decrypt during emulation needs to be a configured as a client to the Key Manager. Precisely, each route to the Data Stores that have a Volume Group referring to this Key manager must be configured as a VTC client to the Key Manager.
Key Manager in order to identify which Key Manager holds the encryption key of each volume. The current list of VLE CLIM Clients is presented in the Key Manager page. New CLIMs can be added by the VLE CLIM Client Information CLIM ID: Select a CLIM in the selection list. The selection list is based on information queried from the host during the VTC configuration of tape drives in the BackPak Domain.
- Detect the Volume Groups using the Key manager ID. Verify the VTC that are routes to the corresponding Data Stores have the connectivity to the Key manager. Verify the VTCs have the encryption license option fo at least one drive. Key Manager – Test report The report shows all VTCs that were involved by the verifications, possibly followed by general messages. For each VTC, there can be three sections: • A section “VTC Client” showing the report generated by the VTC.
41 BackBox H4.
Mixed configuration test report VTC only test report 42 BackBox H4.
VTC only test report with errors 43 BackBox H4.
Volume Group Enabling encryption For all setups, the encryption must be enabled in the Class Information o Select the AES-GCM-256 in the Encryption Algorithm drop down list box o Select the target Key Manager ID from it drop down list box A change in this setup will affect the next backups, not the restore of backups already written. If the catalogues (BackPak, DSM/TC and TMF) are replicated to a DR site, notice that the Key Manager ID registered for each volume will be replicated.
If you already have a Volume Group that you have been using and want to encrypt content on its media from now on using VLE-CLIM Client, you can simply modify its Media Type to LTO 4. From that point forward, all new uses of SCRATCH volumes in the Volume Group (such as for new backups) will mount as LTO 4 media to be encrypted. Existing ASSIGNED media will also be mounted as LTO 4 and be read by NonStop applications, such as RESTORE, even if not encrypted.
BB038 Encrypted volumes with label matching * 2011-10-24 11:24 Last DSMTC Volume write or TMF label date status Encryption key ID ------ ---------- -------- -------------------------------------------------Key manager id Client type : KM-ESKM : 1-VTC ONLY VE1001 2011/10/27 ASSIGNED BBOX_21F5BD27VE1001D68095D44B400008_111027202410 VE1015 2011/10/27 ASSIGNED BBOX_767FE574VE1015D5C6642F4B230008_111024144520 2 printed volumes for Key manager KM-ESKM End of report BB038 Report elements: Volume label Label o
Volume Volume Details The encryption state of each volume is registered. The ID of the volume specific key in the Key manager is included for support, to access this key through the Key Manager user interface. Volume Edition The encryption attributes of a volume can be updated. Example of use case: • Volumes manually registered in a Restricted Data store accessing the images of volumes written encrypted in a different environment, not linked by the BackPak catalog replication.
