Using HW-based encryption on many customer systems - it's great. Adds
maybe 5 seconds to the start of each operation on individual volumes
as the library goes out and requests crypto information. Only
problems I've encountered have been firmware or network related.
Ensure you're at latest FW on the tape library and all tape drives
inside.

It's a bonus to have one of the key managers on a VM or a laptop so in
the event of a disaster, your keystore is mobile. Not required, but
can make things easier.

The encryption path verification tool on the web interface of the tape
library is very helpful.

-jch

On Tue, Sep 15, 2009 at 11:01 AM, Graap, Kenneth
<Kenneth.Graap@xxxxxxxxxxxxx> wrote:
I recently was doing some research on this topic and this is some
information I got from an IBM rep ....

Quote:

Our encryption solution is outstanding ... you need to pick a library vs
a standalone drive and you need to attach via fibre or SAS.  You then
load up at least 2 Windows boxes with the key manager, called TKLM, and
you're off to the races.  We can run an encrypted backup at the same
speed as a non-encrypted backup which sets us apart from all the
SW-based and appliance-based encryption solutions.  If you're going to
do encryption, we'd encourage you to get our Lab Services guy to come
onsite to help you set it up to make sure you have all the proper stuff
set up to protect your keys, since without them, you're toast.  For
example ... you need to make sure you have encryption capable gear and a
key manager at your DR site too, plus backup copies of your key manager
each time you change your keys.

Additional information ....

TS2900 - single half high (HH) LTO4 SAS drive with 9 library slots (1 of
them is a convenience io)
TS3100 - single full high (FH) LTO4 SAS or fibre drive, or dual HH LTO4
SAS drives with 24 library slots (1 of them is a convenience io)
TS3200 - dual full high (FH) LTO4 SAS or fibre drives, or up to 4 HH
LTO4 SAS drives with 24 library slots  (3 of them are a convenience io)
TS3310 - modular library running from 1 chassis with 1-2 FH LTO4 SAS or
fibre drives with up to 4 expansion chassis with up to 4 drives in each
for a total of 18 drives
TS3500 - our big enterprise library with up to 192 FH fibre LTO4 drives.
It can also hold TS1120/TS130 enterprise drives if you prefer.  The
first frame holds up to 12 drives

Fibre drives give you better sharing across LPARs via a switch, but SAS
drives and adapters are cheaper.  SAS needs V6R1 and POWER6.  If you go
with fibre, you can get the new IOPless fibre cards if you're on POWER6
and V6R1 (they take 1 slot vs 2,and have 2 ports with 64 addresses each,
compared with 1 port with 16 addresses on the IOP'd cards), otherwise
you can just use the older IOP'd cards.

Here are some #'s so you can see the dazzling performance of the LTO4
drives ..

                                       usermix                large
file
                                       ---------------
-------------------
       3590-E on fibre on 5xx CPU's        95 GB/hr        140 GB/hr
       HH LTO4 on fibre on 5xx CPU's        220 GB/hr        700 GB/hr
<<< see note
       FH LTO4 on fibre on 5xx CPU's        220 GB/hr        890 GB/hr

Note: HH LTO4 drives have the same burst rate as FH drives, but they
can't sustain it.  However, not many folks have big enough files to hit
those speeds anyway

End Quote:

I hope this information was useful ....


Kenneth
Kenneth E. Graap
http://www.linkedin.com/in/kennethgraap


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Ingvaldson, Scott
Sent: Tuesday, September 15, 2009 7:42 AM
To: midrange-l@xxxxxxxxxxxx
Subject: LTO4 Encryption

Is anyone doing LTO4 hardware encryption?  We will soon be upgrading to
LTO4 drives in our TS3100 libraries and would like to know what we need
to do to implement hardware encryption.  We're at V6R1 with BRMS.

Regards,

Scott Ingvaldson
Senior IBM Support Specialist
Midwest Region Data Center
Fiserv.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].