There are three ways to encrypt tape-based backup data:
- Host-based encryption through integration with backup software
- Appliance-based encryption with the addition of an inline appliance that encrypts data as it flows to the tape drive or library
- Tape drive or endpoint encryption, in which data is encrypted as it is written to the tape media
Appliance-based encryption has the advantage of being able to encrypt data to both legacy (pre-LTO-4) products and heterogeneous tape libraries and drives. While having nearly wire-speed performance in encrypting data, appliances mean an extra device in the network to manage. Most appliance-based encryption devices also have their own key management systems rather than requiring users to obtain their own. An appliance has also the advantage of being able to be inserted into the existing data path without changing the backup application or integration with the tape library or tape drives. Examples of encryption appliances would be Crossroad Systems Inc.'s StrongBox TapeSentry, nCipher Corp.'s NeoScale CryptoStor and NetApp's DataFort.
Tape drive-based or library-based encryption has the advantage of little performance degradation as well as the ability to encrypt data after it is compressed and written to tape, thus maximizing the number of cartridges required to complete the backup process. But it has disadvantages, which are brought to it with the advent of the LTO-4 tape specification -- it is homogeneous -- often encrypting only the contents of one brand of tape library.
John Ruffing, assistant director for advanced technology integration services at Weill Medical College of Cornell University in New York City, uses tape-based encryption from Spectra Logic Corp.
"Weill Cornell is using tape encryption to enhance HIPAA and other regulatory compliance and, in particular, to allow safer offsite tape transport," says Ruffing, who has two Spectra Logic T950 tape libraries installed. "We are doing compression via the Spectra T950 Library with G5 QIPS [Quad Interface Processors] simultaneous to encryption."
When Ruffing initially installed the Spectra T950, he was using LTO-3 drives. "Performance via the G5 QIPS was indeed significantly affected by encryption," says Ruffing. "LTO-3 was the only option when we purchased the Spectra T950 and it required the QIPS."
Not long after in 2007, "LTO-4 drives with built-in encryption became available," says Ruffing. "I suspect the impact has been reduced or eliminated."
Another advantage of encrypting at the tape drive or library level is that it enables compression before encryption, resulting in a reduction of the number of tape cartridges required for backup. Other examples of encrypting drives include IBM Corp. System Storage TS1120 and Sun Microsystems Inc. StorageTek T10000.
Media for LTO-4 tapes is also more expensive than their LTO-3 predecessors -- for instance, an 800 GB LTO-4 tape may cost as much as $150, while a 400 GB LTO-3 cartridge is available a little more than $50.
Whichever method of encryption you choose, remember that with each comes its own benefits and drawbacks.
About this author: Deni Connor is principal analyst with Storage Strategies NOW in Austin, TX.
Do you have comments on this column? Let us know.
Do you know a helpful backup tip, timesaver or workaround? Email the editors if you'd like to write tips for SearchDataBackup.com.
This was first published in September 2008