RE: Securing Backups via Encryption
From: Ken Buchanan (ken.buchanan_at_gmail.com)
Date: Thu, 16 Jun 2005 11:09:25 -0400 To: jbeauford@EightInOnePet.com, firstname.lastname@example.org, email@example.com
This discussion was had last week on the Cryptography mailing list.
(the discussion is scattered across a couple of threads due to thread branching)
Perry Metzger suggested he had helped customers encrypt tapes using
naive solutions that avoid the key management problem (eg. use one key
for all your tapes for six months). This doesn't scale, but is a
probably a perfectly good solution if you have limited encryption
requirements -- say, you just don't want the information exposed in
plaintext when the tapes are out of your hands.
Another problem with simple solutions is that if you encrypt before
writing data to tape in a storage infrastructure then you lose all the
benefits of compression.
There is not really anything from the tape vendors -- *yet* -- but
there are small vendors that offer storage encryption products. One
of them, Decru, has just been bought by Network Appliance (announced
A network computing article on the current state of storage security:
From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
Sent: Wednesday, June 15, 2005 6:12 PM
Subject: RE: Securing Backups via Encryption
Good question. Here I am not encrypting the data as it is archived to
the tape. I am using Veritas BackupExec with LTO-2 as my archive
solution. With the recent rash of data theft and lost backups (Citibank
and Motorola), I too have become very interested in this topic. As of
now I have an open case with Veritas (waiting for a call back) and I am
hoping they can steer me in the right direction. Although I doubt it is
an integrated feature.
From: Dave Nardoni [mailto:firstname.lastname@example.org]
Sent: Wednesday, June 15, 2005 11:50 AM
Subject: Securing Backups via Encryption
I am interested in how many of you are securing your backups via
If you would not mind sharing some of your solutions.
What are you using to encrypt data that goes to tape?
What are you using to encrypt data that goes to disk?
What are you using to encrypt data that goes to an offsite storage
facility via web (ie. Xdrive or similar service offsite service)? What
services do you employ to handle secure backups offsite?
Any other ideas around this would be helpful.
Thank you in advance for sharing your comments,
David Nardoni CISSP, EnCE
PGP Signature: 9CE4 C240 BBC7 2945 BDD6 C97A 0E3D 2547 DB0A 104C