50Micron.com

So the biggest problem with Veritas, is that their client-side encryption option, which is the standard deployment, negates the use of Veritas Bare-Metal-Restore (BMR).

For those who aren’t Veritas geeks like me, BMR is the handy-dandy application that allows you to rebuild a server from scratch using only a floppy (or bootable CD) with little or no input.  All of the particulars of a server are captured when it is backed up.  Drivers, hardware, IP settings, hostname, etc.  You then build a BMR boot disk for that server.  When it crashes and you have to replace it, you boot from the boot disk and it takes all the settings and builds a new server from the last backup from absolute scratch.

I’ve seen it work, it’s a miracle in the making.

However, if you’re using the Veritas client-side encryption, the key is managed by the client server.  And for some reason, this key is not included in the BMR boot disk that is generated by the BMR boot server.  This means that while it can start to rebuild the environment, it can’t restore the last backup because it can’t unencrypt it.

I’ve been looking at options, such as Decru’s Data-Fort inline FC encryption engine, as well as some of the options from Neoscale.

Both would have done the job nicely, however the prices quoted made selling these options up the river to those with the three-letter-initials painfull.

Now I find that Veritas has a recently released MSOE, or Media-Server-Encryption-Option.   Since the encryption is done at the media server, the BMR incompatibility is done away with, and lo and behold, everything works as advertised.  The only real down-side I think I can come up with is the increase in host-overhead on the media server, which means I may have to increase the number of media servers in the environment, which of course makes Veritas more expensive.

I’ve not gotten the quote on this, but I’m assuming it’s going to be less than the almost $50K some of the other options have come to.  I’ll let you know.

I’m investigating Encryption options and have come to the conclusion that there are simply too many options to be had and that I should just go to sleep and try and pick it up tomorrow.

Seriously.

Right now we’re using the Veritas Encryption licence, which of course runs as a part of the NetBackup client and encrypts data before it’s sent out over the network.  The server then takes the encrypted data and writes it directly to the backup image.  (In our case, disk)

I’m looking at the type of in-line encryption engines to go between the media server and the tape libraries, since the primary purpose of encrypting the data is to protect the off-site tapes.

Decru (www.decru.com) is a Network Appliance company.  They makes one that is highly regarded, that is supposed to work at near line-speed.

I’m looking for a little dialog on pluses and minuses of both. 

I’ve always been so focused on the SAN, that I don’t get to play with the network end of things. 

 I’ve used/implemented the Cisco encryption engines for RDF/Ethernet with moderate success replciating from New Orleans to Philidelphia.  (A DR implementation that was put to a highly successful test three short months later)  But the issue is, that I’ve always been the one who has had to deal with what someone else bought, and have never been involved in the purchase decision.