Manage Learn to apply best practices and optimize your operations.

Data encryption's impact on network backup can be high

Data encryption can impact your backups, whether with a host-, appliance- or tape-based encryption scheme. Here's a look at the pros and cons of different encryption methods.

Data encryption can impact the backup process in any number of ways, depending on how the encryption is done, whether with a host-, appliance- or tape-based encryption scheme.

There are three ways to encrypt tape-based backup data:

  • Host-based encryption through integration with backup software
  • Appliance-based encryption with the addition of an inline appliance that encrypts data as it flows to the tape drive or library
  • Tape drive or endpoint encryption, in which data is encrypted as it is written to the tape media
There are advantages and disadvantages to each encryption method, experts say, starting with significant impact on the performance of the backup process itself.

More on backup and encryption
Tape encryption FAQ

Choosing a tape encryption product

How archiving and encryption impact backup

Five questions for evaluating an encryption product
Host-based or software-based encryption exacts perhaps the harshest performance penalty on the backup process. It is processor-intensive because it's a task of the host computer and requires CPU overhead to process. Software-based encryption is incorporated into backup software such as EMC Corp. NetWorker or Symantec Corp.'s Veritas NetBackup either as a standard or optional feature. It also has the benefit of being less expensive and being integrated into existing backup packages vs. appliance- or tape drive-based encryption. Software-based encryption often doesn't include data compression, a process that needs to take place before encryption and which requires additional media.

Appliance-based encryption has the advantage of being able to encrypt data to both legacy (pre-LTO-4) products and heterogeneous tape libraries and drives. While having nearly wire-speed performance in encrypting data, appliances mean an extra device in the network to manage. Most appliance-based encryption devices also have their own key management systems rather than requiring users to obtain their own. An appliance has also the advantage of being able to be inserted into the existing data path without changing the backup application or integration with the tape library or tape drives. Examples of encryption appliances would be Crossroad Systems Inc.'s StrongBox TapeSentry, nCipher Corp.'s NeoScale CryptoStor and NetApp's DataFort.

Tape drive-based or library-based encryption has the advantage of little performance degradation as well as the ability to encrypt data after it is compressed and written to tape, thus maximizing the number of cartridges required to complete the backup process. But it has disadvantages, which are brought to it with the advent of the LTO-4 tape specification -- it is homogeneous -- often encrypting only the contents of one brand of tape library.

John Ruffing, assistant director for advanced technology integration services at Weill Medical College of Cornell University in New York City, uses tape-based encryption from Spectra Logic Corp.

"Weill Cornell is using tape encryption to enhance HIPAA and other regulatory compliance and, in particular, to allow safer offsite tape transport," says Ruffing, who has two Spectra Logic T950 tape libraries installed. "We are doing compression via the Spectra T950 Library with G5 QIPS [Quad Interface Processors] simultaneous to encryption."

When Ruffing initially installed the Spectra T950, he was using LTO-3 drives. "Performance via the G5 QIPS was indeed significantly affected by encryption," says Ruffing. "LTO-3 was the only option when we purchased the Spectra T950 and it required the QIPS."

Not long after in 2007, "LTO-4 drives with built-in encryption became available," says Ruffing. "I suspect the impact has been reduced or eliminated."

Another advantage of encrypting at the tape drive or library level is that it enables compression before encryption, resulting in a reduction of the number of tape cartridges required for backup. Other examples of encrypting drives include IBM Corp. System Storage TS1120 and Sun Microsystems Inc. StorageTek T10000.

Media for LTO-4 tapes is also more expensive than their LTO-3 predecessors -- for instance, an 800 GB LTO-4 tape may cost as much as $150, while a 400 GB LTO-3 cartridge is available a little more than $50.

Whichever method of encryption you choose, remember that with each comes its own benefits and drawbacks.

About this author: Deni Connor is principal analyst with Storage Strategies NOW in Austin, TX.

Do you have comments on this column? Let us know.

Do you know a helpful backup tip, timesaver or workaround? Email the editors if you'd like to write tips for

Dig Deeper on Data backup security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.