Manualshelf

BackBox H4.00 Tape Encryption Option

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
12345678910
Configuration
2 BackBox H4.00 Tape Encryption
Introduction
This Manual documents the tape encryption provided by the BackBox software
running in VTC servers.
These manuals can help during the configuration and operation of tape encryption.
BackBox User Manual
General BackBox User manual.
BackPak Troubleshooting and Messages Manual
List of EMS error messages generated by the BackPak products.
Tape volumes can be encrypted by the BackBox VTC software or by the storage
subsystem where the media is written by BackBox. This manual considers only the
encryption provided by the BackBox VTC software.
Supported operational environments
BackBox encryption is available for Windows File System Data Stores and for all
NonStop systems supported by BackBox: G06.xx, H06.xx and J06.xx.
The data is encrypted using IEEE 1619.1 (tape) industry standard algorithms before
it is sent to the Data Store. The encryption algorithm uses a 256 bit encryption key
stored in an external Key Management Server.
Encryption by BackBox software can be used with an HP Enterprise Security Key
Manager (ESKM) and can optionally be fully integrated with the NonStop Volume
Level Encryption (VLE) product. The backups created from Blade systems with
LTO4 and VLE can be restored by older systems with LTO3 or CART3480 emulations,
and vice-versa. When emulating LTO3 or CART3480, the BackBox VTC creates and
retrieves in an ESKM the same encryption keys a CLIM implementing VLE would do.
Encryption by BackBox software can also be used with any Key Management server
compatible to the OASIS Key Management Interoperability Protocol (KMIP)
standard.
IMPORTANT: For storage subsystems that implement data deduplication, such as
StoreOnce, BackBox data encryption voids the deduplication.
Encryption or compression prevents deduplication algorithms from matching re-
occurring data “chunks”, making deduplication ineffective. For these subsystems,
BackBox encryption should be performed only for a subset of most sensitive volumes
in distinct Volume Groups, or all volumes should be encrypted by the storage
subsystems themselves.