LTO4 With Encryption on iSeries

The announcement from IBM that they would market embedded encryption in their new LTO4 tape drive appeared to offer the way forward in dealing with this continued loss of private and confidential data. This article looks at the possible issues of using this approach and offers some alternative options. When looking at this IBM offering in detail several issues become clear. Interface The LTO4 with encryption is not available with the SCSI interface for the iSeries. This forces users to add a dedicated fibre channel IOP. This means the system must be brought down in order to install and configure the new hardware which will likely require an IBM SE. In addition, if there is not room to add the fibre card and IOP, an expensive expansion tower/drawer will have to be purchased. Library LTO4 encryption for iSeries is only supported with library based units; stand-alone drives are not supported. It may require more physical space. Media The encryption will only work when using LTO4 media. This brings two issues, first, the extra cost associated with buying a complete new set of media and second, what happens to the existing media pool. Configuration & Control Using encryption with the LTO4 on the iSeries also requires the use of Backup Recovery Media Services (BRMS). Not all iSeries customers are using this package as part of their backup procedures today. This means replacing the package currently in use, purchasing BRMS (5722-BR1) and learning how to work with it. Archive The question will be just what to do with existing media. The data on these tapes may need to be retained for a Travel Kits given period but it is essential to ensure the data on it is secured. To copy all these tapes on new Travel Kits LTO4 media using some duplication method such as DUPTAP will be both time consuming and will affect system resources. Key Management The Java based Encryption Key Management (EKM) package for the LTO4 encryption requires a separate server or partition (LPAR) to run. This software itself may provide potential security flaws dependant on how it is implemented because anywhere the security keys can be accessed outside of the server is a possible weakness. IBM recommends that two EKM’s be used for fault tolerance. Without the EKM Travel Kits tapes cannot be read. Of course, these server(s) need to be backed up.Restore considerations With the IBM solution, the iSeries needs to be operational with the OS loaded, and the key management server needs to be up and running before restoring any encrypted data. This leads to a complex restore procedure. Because this is a fiber channel interfaced unit, the system cannot IPL from this LTO4 drive, unlike a SCSI drive that is used as an alternate IPL device. Interoperability The LTO4 can only write to LTO3 or LTO4; therefore, for the supplier / customer to be able to read these tapes they will need at least an LTO3 drive. Speed Retrieving data from a large capacity tape like the LTO4 may be slow as the data needed may be near the end of the tape. Hardware The following gives a list iPhone Lens of the hardware needed for a simple system. ItemCost3573-L2U TS3100 Tape Library Express$4,000.005900 Transparent Wholesale Webcams LTO encryption$2,500.008144 Ultrium 4 Fiber Channel Drive$10,770.006013 13m LC/LC Fiber Channel Cable$184.005761 Fiber adapter for i5 HW$5,495.002844 IOP for 5761$2,100.0025 x LTO4 tapes (estimate)$4,000.00Installation?Hardware Investment$29,049.00We assumed 25 pieces of media at $160 each this equals $4,000.00, 25 pieces is a conservative estimate. You also need to add any installation costs to this. If you do not already own BRMS Travel Kits this is another cost to be considered both in the basic acquisition and also for the training costs and time. BRMS runs from $700 to $24,000 depending on the processor Group class and $995 for Media and Storage Extensions (feature 0664) for the library. Should you be running an older version of OS, you will need to upgrade to V5R2 or later. Please contact us at info@theq3.com with any questions about IBM's LTO4 on the iSeries or to discuss our Q3i tape drive with built-in encryption.For a full version of this article go to:http://www.theq3.com/lto4.php