Media encryption technology (including tape drive encryption)
Host-Based Encryption technology is the most effective, but its encryption requires a separate system or a group of separated systems. The host-based encryption method cannot encrypt all the data to be output on the host. There are many host-based encryption methods on the market, which can be encrypted through application technologies (such as database column encryption software), host proxy, dedicated storage, or network adapter with encryption functions. Each product provided by the supplier has an important adapter. The storage supplier provides multi-channel, other agents provide in-band interaction, and the storage supplier provides virtualization.
In-band device encryption uses a very similar method. Data transmitted through wires is encrypted and then transmitted to storage connections, so that many different applications and hosts can be shared. Data transmitted between the host and the device is usually not encrypted. This device encrypts multiple hosts and multiple types of storage, including primary storage, archive layer, and even tape.
These devices are typically only applicable to some encrypted storage layers. Vendors that use in-band encryption devices include brocade switches, Cisco Systems's MDS storage media encryption and NetApp's DataFort.
Media encryption technology uses multiple technologies to encrypt data in specific media formats. These technologies may integrate storage arrays to encrypt each drive in the array. More typical is tape encryption, a media backup server, tape library, virtual tape library (VTL), or a separate tape drive (LTO-4 or LTO-5 drive ), data is encrypted when they are written to a disk or tape. For example, the IBM DS8000 series array makes full use of encrypted drives to provide drive-level encryption methods. Quantum also has a scalar series of ATL libraries built into the LTO-5 driver, which can be encrypted like libraries provided by other vendors.
Best practices for tape backup encryption technology
Each complex tape backup method is provided with many corresponding instructions. The best practices for tape backup encryption are as follows:
1. Ensure that all tapes are encrypted. Companies should find a solution to ensure that all tapes are encrypted, rather than allowing access to tapes from multiple other paths (such as multiple archiving and backup systems) or cause unnecessary complexity to management.
2. Encryption close to the destination. Perfect products will encrypt the data at the infrastructure layer to have data optimization and management capabilities to give full play to their role. According to the rules, all tapes should be encrypted, but if encryption starts from the data source, data flexibility and efficiency will be greatly reduced. For example, if duplicate data on the disk is deleted or compressed, or data links across the WAN are lost, data scanning such as backup files will become very difficult. In addition to all disk encryption, you can also consider encryption solutions close to the host.
3. Media-based encrypted tape media encryption aims to reduce risks and minimize the probability of emergency response. Expired media or damaged media must be promptly and correctly processed. This means that each tape requires a key in the worst case for a set of backup tapes or datasets. In this way, both the key and the media are the best protected. Losing a key will lead to the loss of a tape at most. The best way to reduce management is to stick to regular disposal of expired keys to prevent tape from being invalid.